Professional Documents
Culture Documents
IKEv1 IPsec Site
IKEv1 IPsec Site
IKEv1 provides a framework for the parameter negotiation and key exchange between VPN
peers for the correct establishment of a (Security Association) SA.
However, the actual processes of key exchange and parameter negotiation are carried out by two
protocols used by IKEv1:
* Oakley
ISAKMP takes care of parameter negotiation between peers (for example, DH groups, lifetimes,
encryption and authentication). The process of negotiating these parameters between peers is
required for the successful establishment of SAs. After an SA has been established, ISAKMP
defines the procedures followed for correct maintenance and removal of the SA during
connection termination.
Note: You will often find the terms ISAKMP and IKE used interchangeably in earlier versions of
ASA (pre 8.4) and IOS reference IKEv1 functions and parameters.
Two mandatory IKEv1 phases (aptly named IKEv1 Phase 1 and IKEv1 Phase 2) must be
followed by each peer before a communications tunnel can be established between them and they
are ready for successful data transmision:
* IKEv1 Phase 1: During this phase, both peers negotiate parameters (integrity and encryption
algorithms, authentication methods) to set up a secure and authenticated tunnel. This is also
called a management channel because no user data is flowing through it (and it is actually a
bidirectional IKE SA). Its sole scope is to handle secure Phase 2 negotiations. It is called
bidirectional because both peers use only one session key to secure both incoming and outgoing
traffic. Peer authentication can be carried out by one of the following methods:
* IKEv1 Phase 2: This second mandatory phase uses the negotiated parameters in Phase 1 for
secure IPsec SA creation. However, unlike the single bidirectional SA created within Phase 1,
the IPsec SA are unidirectional, meaning a different session key is used for each direction (one
for inbound, or decrypted, traffic, and one for outbound, or encrypted, traffic). This is applicable
for any administrator-configured source-destination network pair. Therefore, you might end up
with four unidirectional IPsec SAs if you have two source-destination network pairs defined in a
VPN policy.
I used my 871w IOS router and ASA 5505 firewall to establish an IKEv1 IPsec site-to-site VPN
tunnel. This will help demonstrate the similarities and differences in configuring and
troubleshooting for IKE Phase 1 and IKE Phase 2 VPN policies.
871W(config)#crypto ?
ca Certification authority
call Configure Crypto Call Admission Control
ctcp Configure cTCP encapsulation
dynamic-map Specify a dynamic crypto map template
engine Enter a crypto engine configurable menu
gdoi Configure GDOI policy
identity Enter a crypto identity list
ipsec Configure IPSEC policy
isakmp Configure ISAKMP policy
key Long term key operations
keyring Key ring commands
logging logging messages
map Enter a crypto map
mib Configure Crypto-related MIB Parameters
pki Public Key components
provisioning Secure Device Provisioning
wui Crypto HTTP configuration interfaces
xauth X-Auth parameters
871W(config)#crypto isakmp ?
aggressive-mode Disable ISAKMP aggressive mode
client Set client configuration policy
enable Enable ISAKMP
fragmentation IKE Fragmentation enabled if required
identity Set the identity which ISAKMP will use
invalid-spi-recovery Initiate IKE and send Invalid SPI Notify
keepalive Set a keepalive interval for use with IOS peers
key Set pre-shared key for remote peer
nat Set a nat keepalive interval for use with IOS peers
peer Set Peer Policy
policy Set policy for an ISAKMP protection suite
profile Define ISAKMP Profiles
xauth Set Extended Authentication values
871W(config)#crypto isakmp policy ?
<1-10000> Priority of protection suite
871W(config)#crypto isakmp policy 1 // IKE PHASE 1 POLICY; LOWER NUMBER PREFERRED
871W(config-isakmp)#?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
871W(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature
871W(config-isakmp)#authentication pre-share
871W(config-isakmp)#encryption ?
3des Three key triple DES
aes AES - Advanced Encryption Standard.
des DES - Data Encryption Standard (56 bit keys).
871W(config-isakmp)#encryption aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
<cr>
871W(config-isakmp)#hash sha
871W(config-isakmp)#group ?
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
871W(config-isakmp)#group 2 // DEFAULT DH GROUP
871W(config-isakmp)#lifetime ?
<60-86400> lifetime in seconds
871W(config)#access-list 100 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
remark Access list entry comment
871W(config)#access-list 100 permit ip host 192.168.1.1 host 192.168.1.2 // CRYPTO ACL; REMOTE VPN
ACL MUST BE REVERSED (MIRRORED)
871W(config)#crypto map ?
WORD Crypto map tag
871W(config-crypto-map)#set ?
identity Identity restriction.
ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
reverse-route Reverse Route Injection.
security-association Security association parameters
transform-set Specify list of transform sets in priority order
871W(config-crypto-map)#set peer ?
A.B.C.D IP address of peer
WORD Host name of the peer
871W(config-crypto-map)#match address ?
<100-199> IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD Access-list name
----
ASA5505(config)# crypto ?
Here are some helpful show and debug commands to troubleshoot IKEv1 IPsec site-to-site VPNs on an
ASA and its equivalent commands on an IOS router:
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
interface: BVI1
Crypto map tag: 871_IKEv1_CMAP, local addr 192.168.1.1
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44 | ...>!.H...yQF..D
08 10 05 00 d5 7f 22 c2 1c 00 00 00 0b 00 00 18 | .....".........
0b 1c 28 95 78 17 70 07 09 7d 37 14 db 49 8c 48 | ..(.x.p..}7..I.H
ce 14 9a 4b 00 00 00 20 00 00 00 01 01 10 8d 28 | ...K... .......(
8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44 | ...>!.H...yQF..D
0f a8 53 69 | ..Si
ISAKMP Header
Initiator COOKIE: 8e f0 e6 3e 21 0f 48 19
Responder COOKIE: f9 0b 79 51 46 e5 b2 44
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: D57F22C2
Length: 469762048
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
0b 1c 28 95 78 17 70 07 09 7d 37 14 db 49 8c 48
ce 14 9a 4b
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 32
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
Notify Type: R_U_THERE
SPI:
8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44
Data: 0f a8 53 69
ISAKMP Header
Initiator COOKIE: 8e f0 e6 3e 21 0f 48 19
Responder COOKIE: f9 0b 79 51 46 e5 b2 44
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: C2227FD5
Length: 92
IKE Recv RAW packet dump
8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44 | ...>!.H...yQF..D
08 10 05 01 1f 35 1f 3c 00 00 00 5c 00 4d bb 90 | .....5.<...\.M..
f3 85 9b 86 93 bb ab 22 d6 23 ef 7e e2 ad 16 65 | .......".#.~...e
62 1d 69 00 82 5c 34 86 74 fb c9 3a 6b 49 ab 08 | b.i..\4.t..:kI..
2c ff 94 d2 83 bb d4 1a 0c e7 53 29 ea b4 80 95 | ,.........S)....
13 31 8c 09 39 12 1a a4 76 bc d4 dd | .1..9...v...
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: 8e f0 e6 3e 21 0f 48 19
Responder COOKIE: f9 0b 79 51 46 e5 b2 44
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 1F351F3C
Length: 92
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
88 af 61 fc 7e ee 2c 17 b5 85 99 47 2a e5 96 e4
3d ce a7 94
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 32
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
Notify Type: R_U_THERE_ACK
SPI:
8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44
Data: 0f a8 53 69
Jul 27 15:47:06 [IKEv1]IP = 192.168.1.1, IKE_DECODE RECEIVED Message (msgid=1f351f3c) with payloads
: HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 27 15:47:06 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, processing hash payload
Jul 27 15:47:06 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, processing notify payload
Jul 27 15:47:06 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, Received keep-alive of type DPD R-
U-THERE-ACK (seq number 0xfa85369)
Jul 27 15:47:16 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, Sending keep-alive of type DPD R-
U-THERE (seq number 0xfa8536a)
Jul 27 15:47:16 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, constructing blank hash payload
Jul 27 15:47:16 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, constructing qm hash payload
Jul 27 15:47:16 [IKEv1]IP = 192.168.1.1, IKE_DECODE SENDING Message (msgid=86feac10) with payloads
: HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44 | ...>!.H...yQF..D
08 10 05 00 10 ac fe 86 1c 00 00 00 0b 00 00 18 | ................
e9 ee f3 46 cb a6 4b 95 0d f0 c7 83 48 a5 75 50 | ...F..K.....H.uP
a0 49 b4 d9 00 00 00 20 00 00 00 01 01 10 8d 28 | .I..... .......(
8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44 | ...>!.H...yQF..D
0f a8 53 6a | ..Sj
ISAKMP Header
Initiator COOKIE: 8e f0 e6 3e 21 0f 48 19
Responder COOKIE: f9 0b 79 51 46 e5 b2 44
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: 10ACFE86
Length: 469762048
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
e9 ee f3 46 cb a6 4b 95 0d f0 c7 83 48 a5 75 50
a0 49 b4 d9
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 32
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
Notify Type: R_U_THERE
SPI:
8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44
Data: 0f a8 53 6a
ISAKMP Header
Initiator COOKIE: 8e f0 e6 3e 21 0f 48 19
Responder COOKIE: f9 0b 79 51 46 e5 b2 44
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 86FEAC10
Length: 92
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: 8e f0 e6 3e 21 0f 48 19
Responder COOKIE: f9 0b 79 51 46 e5 b2 44
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 9CC21886
Length: 92
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
9e 3b ae fa 17 d3 f0 0d a3 80 7a 6f 04 13 e0 b8
d4 00 6e ba
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 32
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
Notify Type: R_U_THERE_ACK
SPI:
8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44
Data: 0f a8 53 6a
Jul 27 15:47:16 [IKEv1]IP = 192.168.1.1, IKE_DECODE RECEIVED Message (msgid=9cc21886) with
payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 27 15:47:16 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, processing hash payload
Jul 27 15:47:16 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, processing notify payload
Jul 27 15:47:16 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, Received keep-alive of type DPD R-
U-THERE-ACK (seq number 0xfa8536a)