IPsec
After IKE auspiciously negotiates the ambit such as the adjustment to be used
for encryption, authentication, and the admeasurement key to use, IPsec is again accessible to perform
its mission of creating a VPN. IPsec requires that IKE already accept negotiated
the assorted ahead articular parameters. IPsec aeon analyze transform
sets to actuate what anniversary can support.They accommodate the authentication,
encryption, and assortment methods until they acquisition agreement. If they do not find
agreement, they do not become peers, and the adit will not be established.
To analysis which transform sets you accept configured, use the appearance crypto ipsec
transform-set command. Notice that this command tells you if IPsec will negotiate
AH, ESP, or a aggregate of both. Here is an example:
PIX1# appearance crypto ipsec transform-set
Transform set FW1: { ah-md5-hmac }
will accommodate = { Tunnel, },
{ esp-des esp-md5-hmac }
will accommodate = { Tunnel, },
It is important for IPsec aeon to accept in their transform sets accepted parameters
on which they can agree. Crypto maps are acclimated to specify the cartage to be
encrypted. Execute the appearance crypto map command to affirm your maps. For
example:
www.syngress.com
Troubleshooting and Performance Monitoring • Chapter 10 595
PIX2# appearance crypto map
Crypto Map: "pixola" interfaces: {outside }
Crypto Map "pixola" 1 ipsec-isakmp
Peer = 192.168.2.1
access-list 100 admittance ip 192.168.2.0 255.255.255.0 any (hitcnt=1)
Current peer: 192.168.2.1
Security affiliation lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ pix, }
This command additionally identifies the IPsec associate and the interface to which the
map is applied. In this example, PIX2 has the crypto map “pixola” activated to its
outside interface. It is analytical with PIX1 (at IP abode 192.168.2.1) and will
encrypt cartage that matches admission account 100. It alike tells you how abounding matches
have been fabricated adjoin that admission list—a quick way to actuate if annihilation is
being arrested for IPsec processing.
After acceptance that there is acceding in the transform sets and the crypto
maps are authentic correctly, affirm that abstracts is absolutely actuality protected.To verify,
use the appearance crypto ipsec sa command apparent in Figure 10.23.
Figure 10.23 Acceptance IPsec
PIX1# appearance crypto ipsec sa
interface: outside
Crypto map tag: pixola, bounded addr. 192.168.2.1
local ident (addr/mask/prot/port): (192.168.2.1/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.1/255.255.255.0/0/0)
current_peer: 192.168.3.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts abstract 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
www.syngress.com
Continued
596 Chapter 10 • Troubleshooting and Performance Monitoring
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.2.1, alien crypto endpt.: 192.168.3.1
path mtu 1500, ipsec aerial 56, media mtu 1500
current outbound spi: 3a18fca2
inbound esp sas:
spi: 0x61af4121(2451330208)
transform: esp-des esp-md5-hmac
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: pixola
sa timing: actual key lifetime (k/sec): (4000159/9460)
IV size: 8 bytes
replay apprehension support: Y
inbound ah sas:
inbound pcp sas:
outbound ESP sas:
spi: 0x61af4121(2451330208)
transform: esp-des esp-md5-hmac
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: pixola
sa timing: actual key lifetime (k/sec): (4000159/9460)
IV size: 8 bytes
replay apprehension support: Y
outbound ah sas:
outbound PCP sas:
The achievement of this command can be actual abundant.The crypto map tag identifies
the crypto map actuality used, admitting bounded and alien “ident” appearance the IP
addresses of the bounded and alien peers.The “pkts” counters clue how many
packets accept been encrypted, decrypted, and compressed. So far, bristles packets have
been beatific and accustomed encrypted.This is an attribute of acknowledged IPsec operation.
www.syngress.com
Figure 10.23 Continued
Troubleshooting and Performance Monitoring • Chapter 10 597
The crypto “endpt” area identifies the IPsec peers. Notice that the path
MTU as able-bodied as the media MTU are shown, which can be advantageous in determining
if breach will occur.The SPI is a different identification for this tunnel.We
can additionally appearance the transform set ambit actuality acclimated and whether it is operating
in adit or carriage mode.The lifetime indicates the bulk of time larboard before
the SA will be renegotiated.The aftermost section, “outbound sas,” verifies that both
inbound and outbound SA accept been established. It additionally indicates how many
seconds and kilobits are larboard afore the SA charge be renegotiated.
Check the SA lifetime with the appearance crypto ipsec security-association command.
For example:
PIX1# appearance crypto ipsec security-association lifetime
Security affiliation lifetime: 4608000 kilobytes/28800 seconds
You can use the alter crypto ipsec command to adviser IPsec negotiations,
which will alpha already IKE is absolutely initialized amid the peers. For affluence of
troubleshooting, run the two commands separately. Otherwise, you will be
overwhelmed by the bulk of abstracts that they produce. First accomplish IKE
troubleshooting (which has to action afore IPsec can proceed), and again move
on to IPsec troubleshooting.
If you appetite to reinitialize IPsec, you can do so.This is advantageous back you want
to bright besmirched or invalid sessions or if you appetite IPsec to authorize a new
tunnel. It can additionally be advantageous if you appetite to adviser IPsec operations from the
onset application alter commands. At any time, you can manually force an SA negotiation
to action with the bright crypto ipsec sa command.The bright crypto ipsec sa command
deletes absolute aegis associations (all of them) and armament the
establishment of new associations if there is an alive activate such as a crypto
map.You can get actual specific with this command, such as allegorical a particular
peer with bright crypto ipsec sa 192.168.2.1.