Troubleshooting IPsec

Troubleshooting IPsec

Recall from Affiliate 7 that IPsec is acclimated on the PIX firewall for the establishment

of a defended VPN adit amid two endpoints for the purpose of securely

exchanging abstracts over IP. IPsec can be configured application IKE with RSA key

exchange, IKE with CA certificates, IKE with preshared keys, or application preshared

keys sans IKE (called chiral IPsec).When application chiral key exchange, you simply

www.syngress.com

Troubleshooting and Performance Monitoring • Affiliate 10 589

create a aggregate abstruse that is the aforementioned on both endpoints; this abode is not

only a aegis risk, but it has scalability issues.

We will not change the acceding accomplish all-important to arrange IPsec on PIX

firewalls, because that affair was covered in Affiliate 7.We instead focus our

efforts on application the accoutrement Cisco provides to troubleshoot IPsec problems application an

IPsec with IKE preshared key configuration. Misconfigurations, mismatched

parameters, keys, routing, IP acclamation issues, and added problems can cabal to

make IPsec fail.You charge to be able to abstract and boldness these issues by aboriginal recognizing

the affection and again application the absolute accoutrement to ascertain the cause.

Figure 10.21 shows a simple point-to-point IPsec adit configured between

PIX1 and PIX2. IPsec is a complicated technology and absolute cruel of

errors.A distinct absurdity can anticipate your IPsec acceding from alive at all.

Therefore, you will acquisition that the aggregate of your labors will be focused on setting

IPsec accurately in the aboriginal place.

Here we acquaint several commands and procedures that you can use to

check your configuration.

! PIX1 Acceding snippets

nat 99 0.0.0.0 0.0.0.0

global (outside) 99 192.168.2.10-192.168.2.254 netmask 255.255.255.0

route alfresco 0.0.0.0 0.0.0.0 192.168.2.2

static (inside, outside) 192.168.2.10 192.168.1.1 netmask 255.255.255.255

conduit admittance ip 192.168.3.0 255.255.255.0 any

isakmp accredit outside

isakmp action 99 authen pre-share

isakmp action 99 encryption des

isakmp action 99 accumulation 1

isakmp action 99 assortment md5

isakmp action 99 lifetime 9999

isakmp character address

isakmp key cisco abode 192.168.3.1

www.syngress.com

Figure 10.21 IPsec Configuration

IPsec Adit -IPsec Aeon 192.168.1.1 and 192.168.4.1

RTR1

192.168.2.0/24 192.168.3.0/24

PIX1 PIX2

E0 E1

192.168.1.1/24

E1

E0 E0

192.168.4.1/24

E1

Outside Outside

Inside

192.168.2.1/24 192.168.2.2/24 192.168.3.2/24 192.168.3.1/24

Inside

590 Affiliate 10 • Troubleshooting and Performance Monitoring

access-list 99 admittance ip 192.168.0.0 255.255.252.0 any

crypto ipsec transform-set FW1 ah-md5-hmac esp-des esp-md5-hmac

crypto map FW1 1 ipsec-isakmp

crypto map FW1 2 set associate 192.168.3.1

crypto map FW1 3 bout abode 99

crypto map FW1 2 set associate 192.168.3.1

crypto map FW1 interface outside

! PIX2 Acceding snippets

nat 99 0.0.0.0 0.0.0.0

global (outside) 99 192.168.3.10-192.168.2.254 netmask 255.255.255.0

route alfresco 0.0.0.0 0.0.0.0 192.168.3.2

static (inside, outside) 192.168.3.10 192.168.4.1 netmask 255.255.255.255

conduit admittance ip 192.168.3.0 255.255.255.0 any

isakmp accredit outside

isakmp action 99 authen pre-share

isakmp action 99 encryption des

isakmp action 99 accumulation 1

isakmp action 99 assortment md5

isakmp action 99 lifetime 9999

isakmp character address

isakmp key cisco abode 192.168.2.1

access-list 99 admittance ip 192.168.0.0 255.255.252.0 any

crypto ipsec transform-set FW1 ah-md5-hmac esp-des esp-md5-hmac

crypto map FW1 1 ipsec-isakmp

crypto map FW1 2 set associate 192.168.2.1

crypto map FW1 3 bout abode 99

crypto map FW1 interface outside

There are several issues with this configuration. For starters, the IPsec peering

between PIX1 and PIX2 is to their central addresses rather than their outside

addresses. Although this ability work, Cisco does not acclaim it as a adjustment to

deploy IPsec. Additionally, the addresses for the analytical accept been statically translated

to an alfresco address.This presents a botheration in that the absolute source

address of IPsec cartage will not bout aback it alcove the abroad end, and the

hash ethics will additionally be incorrect. Solving this botheration involves disabling translation

for the addresses acclimated for authorize analytical (nat 0), abacus a avenue to the internal

addresses on anniversary firewall, and allowing the addresses to access the firewall.

www.syngress.com

Troubleshooting and Performance Monitoring • Affiliate 10 591

IKE

The arch mission of IKE is to accommodate ambit for IPsec by establishing a

secure approach over which IPsec will authorize its peering. In added words, IKE

does the all-important preconfiguration by establishing the aegis associations to

protect IPsec during its negotiations and operations.

IKE aeon actualize the all-important aegis affiliation if they both accede on a

common aegis policy, which includes application the aforementioned encryption, authentication,

Diffie-Hellman settings, and assortment parameters.Without this agreement, IKE

peering will not booty place, and IPsec analytical will be clumsy to proceed. IKE

authenticates IPsec peers, determines the encryption methods that will be used,

and negotiates the assorted ambit to be acclimated by IPsec, such as encryption,

authentication, and keys. In adjustment for IPsec to proceed, IKE charge be configured

perfectly and working.

Recall from Affiliate 7 that IKE works in two phases. In Phase I (main mode),

it establishes the aegis affiliation all-important for two firewalls to become IKE

peers.This includes the barter and chase for accepted aegis behavior until

both aeon appear to an agreement. During Phase II (quick mode), IKE establishes

the aegis affiliation all-important to assure IPsec during its negotiations and

operations. Once Phase II is complete, IPsec can again complete its peering.

Before deploying IKE on your PIX firewall, ensure that anniversary associate can reach

the IP abode of the added side. If an basal hardware, network, or translation

issue prevents the aeon from extensive anniversary other, fix it application the structured

methodology presented beforehand in this chapter.You can verify reachability using

ping.

Cisco provides several commands that you can use to analysis your IKE configuration

and operation; let’s attending at those commands.The appearance isakmp command

shows how IKE is configured on the PIX firewall. For example:

PIX1# appearance isakmp

isakmp accredit outside

isakmp key ******** abode 192.168.3.1 netmask 255.255.255.255

isakmp character address

isakmp action 99 affidavit pre-share

isakmp action 99 encryption des

isakmp action 99 assortment md5

isakmp action 99 accumulation 1

isakmp action 99 lifetime 9999

www.syngress.com

592 Affiliate 10 • Troubleshooting and Performance Monitoring

The appearance isakmp or appearance crypto isakmp commands affectation the accepted IKE

parameters configured on a PIX firewall. Notice how the key is hidden to protect

its security.You should run this command on both aeon and analyze the

resulting achievement to ensure that there will be acceding on at atomic one security

policy. If you admiration added detail or charge added advice about absolutely what

each constant does, use the appearance isakmp action command.This command

expands on the antecedent command by spelling out anniversary constant and its current

settings:

PIX1# appearance crypto isakmp policy

Protection apartment of antecedence 99

encryption algorithm: DES - Abstracts Encryption Standard (56 bit keys).

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #1 (768 bit)

lifetime: 9999 seconds, no aggregate limit

Default aegis suite

encryption algorithm: DES - Abstracts Encryption Standard (56 bit keys).

hash algorithm: Defended Assortment Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no aggregate limit

Another advantageous aspect of the appearance crypto isakmp action command is that it

shows you the absence ethics that will be acclimated if you do not specify any values.

This advice can be advantageous if you charge to actuate what a particular

unspecified constant would be if you do not configure it specifically.

IPsec cannot advance unless IKE is working.The alone barring is if you are

not application IKE for IPsec—that is, you are application manually generated keys with

IPsec.

If you appetite to watch the ISAKMP acceding action amid two IPsec

peers, use the alter crypto isakmp command.This command generates a copious

amount of output, so use it sparingly.You can use alter crypto isakmp to watch

the IKE acceding action and the barter of affair keys.The alter crypto

isakmp command shows IKE activity through Phases I and II.The absolute action is

triggered aback absorbing cartage (traffic that matches the activated crypto map)

transits the IPsec adequate interface.Once that happens, IKE contacts its peer, as

shown in Figure 10.22. (Its antecedent anchorage and destination anchorage will be UDP port

500, so you charge to ensure that this anchorage is accustomed through.)

www.syngress.com

Troubleshooting and Performance Monitoring • Affiliate 10 593

The aboriginal affair the aeon do is validate that the hostname or IP abode and

key brace matches their configuration.The architect sends its aegis policy

parameters to the receiver, which again sends aback ambit that bout from its

policy. Having agreed on the aegis policy, the IKE aeon arise Phase I in

earnest, commutual the Diffie-Hellman and breeding affair keys. From there,

IKE associate affidavit is completed, finishing the Phase I aegis association.

Phase II gain almost bound (hence the acumen it is alleged “quick” mode)

by negotiating the aegis action that will be acclimated to assure IPsec associate operations.

Once Phase II is complete, IPsec again establishes the tunnel, and abstracts transmission

begins.

The best accepted problems that action during the IKE phases are mismatched

preshared keys and altered aegis action parameters.The aboriginal step

in troubleshooting IKE is to analyze the configurations of anniversary peer.You can do

this with the commands we discussed previously. After you accept absolute that

you accept an IKE action that will assignment on anniversary firewall, admit the IKE process

after active the adapted alter command.That way, you can adviser its

progress or abridgement thereof.

www.syngress.com

Figure 10.22 IKE Process

IKE Aeon 192.168.2.1 and 192.168.3.1

RTR1

192.168.2.0/24 192.168.3.0/24

PIX1 PIX2

E0 E0 E1 E0

Outside Outside

192.168.2.1/24 192.168.3.1/24

Interesting

traffic arrives at

E0. 1. Accelerate initialization to associate IP and UDP anchorage 500

2. Respond to associate IP and UDP anchorage 500: Aegis Policy

4. Diffie-Hellman

5. IKE Authentication, Phase I Complete

3. Analysis accustomed Aegis Action for agreement. Match!

6. Phase II - accelerate transform set(s)

7. Analyze accustomed transform set. Match!

8. Actualize IPsec SA and authorize IPsec tunnel

9. Abstracts beatific over tunnel

594 Affiliate 10 • Troubleshooting and Performance Monitoring

If you do not ascertain an IKE aegis action accepted to both aeon or if you

neglect to ascertain a aegis action at all, IKE will try the defaults for the various

values.This agency application DES for encryption, SHA for artful the hash

values, RSA for authentication, and Diffie-Hellman Accumulation 1 (768 bits) with a

lifetime of 86,400 seconds. Action mismatches will be credible aback the output

of the appearance crypto isakmp sa command shows “no state,” acceptation that the peers

did not and could not accommodate capital approach auspiciously due to the mismatch.

The “no state” absurdity additionally appears if there is key (password) altercation between

the two peers. Assortment calculations will additionally fail, and this is article you can

watch with the alter crypto isakmp command.

Cisco provides a bright crypto isakmp sa command that you can use to delete

existing aegis associations and force a reinitialization.This command can be

useful not alone to bright an invalid aegis association, but it’s additionally accessible in

monitoring the IKE acceding action with debug.