Categorization of Problem Areas
The problem areas of IPsec can be categorized based on their implementations as follows:
LAN-to-LAN Troubleshooting
This section presents the configuration and troubleshooting steps of IPsec LAN-to-LAN VPN tunnel between two PIXen based on Figure 7-1.
As shown in Figure 7-1, PIX-A and PIX-B are running PIX version 7.0 and are configured for a LAN-to-LAN tunnel. The troubleshooting steps that follow the configuration steps use the same setup as shown in Figure 7-1.
Configuration Steps
Work through the steps that follow to configure a basic LAN-to-LAN IPsec tunnel between two PIX firewalls:
|
|
Step 1. | Configure the basic PIX firewall. Before you attempt to configure LAN-to-LAN VPN tunnel, you need to configure the interface and the routing on the PIX firewall. Example 7-6 shows how to configure the outside interface of the PIX firewall and define the route. The same procedure can be used to configure the rest of the interfaces on the PIX firewall. Example 7-6. Configuring Interfaces on the PIX Firewall ! From configuration mode, go under interface configuration mode. PIX-A(config)# interface ethernet0 ! Assign the IP address and subnet mask for the interface PIX-A(config-if)# ip address 172.16.172.164 255.255.255.0 ! Name the interface with the nameif command. If you define the name as outside ! interface, the security level is set to zero. PIX-A(config-if)# nameif outside !Set the speed and duplex with the following two lines. PIX-A(config-if)# speed auto PIX-A(config-if)# duplex full ! You can set the security level with the security-level command. The following line ! is not necessary if the interface is named as outside. PIX-A(config-if)# security-level 0 ! Enable the interface with the following command. PIX-A(config-if)# no shutdown ! Define the default gateway or more specific static route for private network ! of the other side of the tunnel. PIX-A(config-if)# route outside 0.0.0.0 0.0.0.0 172.16.172.1 PIX-A(config-if)#
| |
Step 2. | Configure ISAKMP policy and enable on the outside interface. To configure ISAKMP policies, in global configuration mode, use the isakmp policy command with its various arguments. The syntax for ISAKMP policy commands is: isakmp policy priority attribute_name [attribute_value | integer]
Example 7-7 shows how to configure the ISAKMP policy on the PIX firewall. Example 7-7. ISAKMP Policy Configuration on PIX Firewall ! Set the authentication method as pre-shared key with the following command. PIX-A(config)# isakmp policy 20 authentication pre-share ! Encryption key method is defined as 3DES with the following command. PIX-A(config)# isakmp policy 20 encryption 3des ! Hashing algorithm is defined as MD5 for this example. PIX-A(config)# isakmp policy 20 hash md5 ! Set the Diffie-Hellman group 2 with the following command. PIX-A(config)# isakmp policy 20 group 2 ! The default timeout value is 28800 or 8 hours. Following command set up the ! timeout value to be 12 hours. PIX-A(config)# isakmp policy 20 lifetime 43200 ! Enable ISAKMP on the outside interface. PIX-A(config)# isakmp enable outside PIX-A(config)#
| |
|
|
Step 3. | Create a transform set. A transform set combines an encryption method and an authentication method. During the IPsec security association negotiation with ISAKMP, the peers agree to use a particular transform set to protect a particular data flow. The transform set must be the same for both peers. You can create multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. PIX firewall uses the transform set information to protect the data flows for that crypto map entry access list. For more overview information, refer to the section in this chapter entitled "Creating a Transform Set" in " LAN-to-LAN Troubleshooting." To configure a transform set, in global configuration mode, use the crypto ipsec transform-set command. The syntax is: crypto ipsec transform-set transform-set-name encryption-method authentication-method
Example 7-8 configures a transform set with the name myset, esp-3des encryption, and esp-md5-hmac authentication. Example 7-8. Configuring Transform Set on the PIX Firewall PIX-A(config)# crypto ipsec transform set myset esp-3des esp-md5-hmac PIX-A(config)#
| |
|
|
Step 4. | Configure an Access-list (ACL) to define Interesting Traffic for LAN-to-LAN IPsec tunnel. The access-list in LAN-to-LAN IPsec tunnel is used to define the interesting traffic between the tunnel end points of the PIX firewalls that needs to be protected by the tunnel. To configure an ACL, use the following syntax: access-list listname extended permit ip source-ipaddress source-netmask destination-ipaddress destination-netmask
Example 7-9 shows an access-list configuration (ACL 101) on PIX-A that protects the traffic between two private networks (between PIX-A and PIX-B). The source network for the access-list on PIX-A is 192.168.1.0/24 and destination network is 192.168.2.0/24. Example 7-9. Defining Interesting Traffic by Access List on PIX-A Firewall PIX-A(config)# access-list l0l_extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 PIX-A(config)#
| You must configure a mirror image access-list on the other side of the tunnel (PIX-B) to define the interesting traffic for the IPsec tunnel as shown in Example 7-10. Example 7-10. Mirror Image ACL on PIX-B Firewall to Define IPsec LAN-to-LAN Tunnel Interesting Traffic PIX-B(config)# access-list l0l_extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 PIX-B(config)#
| Note that this access-list is the mirror image of the ACL defined on PIX-A firewall. |
Step 5. | Define a tunnel group for a LAN-to-LAN tunnel. A tunnel group is used to identify AAA servers, specify connection parameters, and define a default group policy. PIX Firewall stores tunnel groups internally. There are two default tunnel groups in the PIX firewall: DefaultRAGroup, which is the default IPsec remote-access tunnel group; and DefaultL2Lgroup, which is the default IPsec LAN-to-LAN tunnel group. You can change them but not delete them. To establish a basic LAN-to-LAN VPN connection, you must configure the following two attributes for a tunnel group: - (a). Set up the connection type to be IPsec_L2L (IPsec LAN-to-LAN tunnel) with the configuration shown in Example 7-11. Be sure to define the tunnel name with the peer's IP address. This is how the PIX firewall identifies the tunnel group for authentication.
Example 7-11. Creating LAN-to-LAN VPN Tunnel-Group on PIX Firewall PIX-A(config)# Tunnel-Group 172.16.172.163 type IPsec_L2L PIX-A(config)#
| - (b). Define the pre-shared key as shown in Example 7-12.
Example 7-12. Configuration of the Pre-shared Key for LAN-to-LAN IPsec Tunnel PIX-A(config)# tunnel-group 172.16.172.163 ipsec-attributes PIX-A(config-ipsec)# pre-shared-key cisco123 PIX-A(config)#
| |
|
|
Step 6. | Create a crypto map for a LAN-to-LAN tunnel. The crypto map applied on the interface triggers the IPsec process. Several components are tied together with the crypto map command. As you can apply only one crypto map per interface, you must create the crypto map with the same name but different sequence number to provide different security for different subnets. Also, if you have different peers, you need to create multiple entries of the crypto map with different sequence numbers but with the same name. Example 7-13 shows how to create a crypto map on PIX-A firewall for the LAN-to-LAN tunnel with PIX-B firewall. Example 7-13. Creating Crypto Map on the PIX-A Firewall for LAN-to-LAN Tunnel ! Assign the access-list previously created to the crypto map entry. PIX-A(config)# crypto map mymap 10 match address 101 ! Define the Peer IP address with the following command. PIX-A(config)# crypto map mymap 10 set peer 172.16.172.163 ! Apply the transform set to the crypto map. You can apply multiple transform ! sets to the same crypto map. PIX-A(config)# crypto map mymap 10 set transform-set myset PIX-A(config)#
| Apply the crypto map to an interface. Once a crypto map is configured, you need to apply it on the outgoing interface of the packet destination. Applying a crypto map is supported on all interfaces of the PIX firewall. When you make any changes to the applied crypto map, PIX firewall automatically applies the changes to the running configuration. It drops any existing connections and reestablishes them after applying the new crypto map. The syntax for applying the crypto map is as follows: crypto map map-name interface interface-name
Example 7-14 shows how to apply the crypto map on the outside interface of PIX firewall PIX-A. Example 7-14. Applying the Crypto Map on the Outside Interface of PIX-A PIX-A(config)# crypto map mymap interface outside PIX-A(config)#
| |
|
|
Step 7. | Bypass the NAT translation for the IPsec VPN traffic. If you have nat-control turned off on the PIX firewall, you do not need any special configuration to create the NAT exemption for the LAN-to-LAN VPN traffic unless you have NAT configured that translates the source network of the VPN traffic to a routable IP address. Under this circumstance, or when the nat-control is turned on, you must bypass the NAT for the private networks of the VPN traffic. You can understand this best by looking at an example. Assume that network 192.168.1.0/24 on PIX-A is translated to the interface IP address (172.16.172.164) for the Internet connection with the nat/global statement. With this setup, whether you have the nat-control turned on or off, you need to configure the NAT exemption to allow the LAN-to-LAN private network to bypass the NAT. This is because even if you have the nat-control off, PIX still performs the NAT translation if it is configured. When the nat-control is tuned on, PIX must perform the NAT translation, hence NAT exemption is a must for the VPN traffic. Example 7-15 shows how to configure the NAT exemption for the LAN-to-LAN VPN traffic. Example 7-15. Bypassing the LAN-to-LAN VPN Traffic Across the Tunnel PIX-A(config)# show running-config nat-control ! The following line indicates that the nat-control is turned off no nat-control ! Now check to see if there is a NAT configured that may include the private ! network that needs to be protected by the IPSec tunnel PIX-A(config)# show running-config nat ! The following line indicates the NAT is configured for the source network of ! the VPN traffic that needs to be protected by the tunnel. nat (inside) 1 192.168.1.0 255.255.255.0 ! The following command verifies the corresponding global stmt, which says all ! internet bound traffic uses the outside interface IP address. PIX-A(config)# show running-config global global (outside) 1 interface ! To bypass the LAN-to-LAN VPN traffic, create a new ACL or use the existing ! crypto ACL which is 101 on the PIX firewall with the source and destination ! addresses to be the private networks on both sides. PIX-A(config)# access-list 110 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 ! Apply the ACL with NAT statement to configure NAT exemption. PIX-A(config)# nat (inside) 0 access-list 110 ! Following line verifies the NAT configuration PIX-A(config)# show running-config nat nat (inside) 0 access-list 110 nat (inside) 1 192.168.1.0 255.255.255.0 ! Following line verifies the ACL configuration PIX-A(config)# show running-config access-list 110 access-list 110 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 PIX-A(config)#
| |
|
|
Step 8. | Allow the actual IPsec traffic through the tunnel. You must allow the decrypted IPsec tunnel traffic with either the sysopt command or by creating an access-list to allow the private networks, and to apply the access-list on the outside interface as inbound. Example 7-16 shows how to allow the decrypted packets on the PIX outside interface by using the sysopt command or access-list. Example 7-16. Configuration to Bypass ACL Checks to Allow the Decrypted Traffic ! Use the sysopt command in global configuration mode to have the PIX firewall ! to allow IPSec connections. PIX-A(config)# sysopt connection permit-ipsec ! The following ACL substitute the sysopt command. The source address of the ACL ! is the network or addresses defined with IP address Pool. PIX-A(config)# access-list 120 permit 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 ! Apply the access-list to the interface PIX-A(config)# access-group 120 in interface outside ! Save your changes. PIX-A(config)# write memory PIX-A(config)#
| Follow the preceding steps to configure PIX-B firewall. Example 7-17 shows the configuration that needs to be performed for LAN-to-LAN tunnel. Example 7-17. Configuration on the PIX-B Firewall for the LAN-to-LAN Tunnel ! Following lines are for configuring interface PIX-B(config)# interface ethernet0 PIX-B(config-if)# ip address 172.16.172.163 255.255.255.0 PIX-B(config-if)# nameif outside PIX-B(config-if)# speed auto PIX-B(config-if)# duplex full PIX-B(config-if)# no shutdown ! Following lines are to define ISAKMP policy which should match to one of the policies ! defined on PIX-A PIX-B(config)# isakmp policy 10 authentication pre-share PIX-B(config)# isakmp policy 10 encryption 3des PIX-B(config)# isakmp policy 10 hash md5 PIX-B(config)# isakmp policy 10 group 2 PIX-B(config)# isakmp policy 10 lifetime 43200 PIX-B(config)# isakmp enable outside ! Following line defines the transform-set PIX-B(config)# crypto ipsec transform set myset esp-3des esp-md5-hmac ! Following line defines the ACL for the interesting traffic for LAN-to-LAN VPN PIX-B(config)# access-list l01_list extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 ! Define the tunnel-group with the name to be the peer's IP address, i.e, PIX-A's outside ! interface IP address. The pre-shared-key has to match on both sides. PIX-B(config)# tunnel-group 172.16.172.164 type IPSec_L2L PIX-B(config)# tunnel-group 172.16.172.164 ipsec-attributes PIX-B(config-ipsec)# pre-shared-key cisco123 ! The following lines are used to configure the crypto map PIX-B(config)# crypto map mymap 10 match address 101 PIX-B(config)# crypto map mymap 10 set peer anyhost 172.16.172.164 PIX-B(config)# crypto map mymap 10 set transform-set myset PIX-B(config)# crypto map mymap interface outside ! Configure sysopt for IPSec to allow the decrypted traffic on the outside interface PIX-B(config)# sysopt connection permit-ipsec ! For additional configuration on NAT and others, refer to the previous configuration ! steps for the PIX-A firewall PIX-B(config)# write memory PIX-B(config)#
| |
Troubleshooting Steps
The LAN-to-LAN IPsec tunnel may fail to process traffic for several reasons. This section examines the details of all possible causes and how to resolve them. The troubleshooting IPsec LAN-to-LAN tunnel issues can classified as follows:
The sections that follow provide a detailed discussion of these topics.