Troubleshooting IPsec
Recall from Affiliate 7 that IPsec is acclimated on the PIX firewall for the establishment
of a defended VPN adit amid two endpoints for the purpose of securely
exchanging abstracts over IP. IPsec can be configured application IKE with RSA key
exchange, IKE with CA certificates, IKE with preshared keys, or application preshared
keys sans IKE (called chiral IPsec).When application chiral key exchange, you simply
www.syngress.com
Troubleshooting and Performance Monitoring • Affiliate 10 589
create a aggregate abstruse that is the aforementioned on both endpoints; this abode is not
only a aegis risk, but it has scalability issues.
We will not change the acceding accomplish all-important to arrange IPsec on PIX
firewalls, because that affair was covered in Affiliate 7.We instead focus our
efforts on application the accoutrement Cisco provides to troubleshoot IPsec problems application an
IPsec with IKE preshared key configuration. Misconfigurations, mismatched
parameters, keys, routing, IP acclamation issues, and added problems can cabal to
make IPsec fail.You charge to be able to abstract and boldness these issues by aboriginal recognizing
the affection and again application the absolute accoutrement to ascertain the cause.
Figure 10.21 shows a simple point-to-point IPsec adit configured between
PIX1 and PIX2. IPsec is a complicated technology and absolute cruel of
errors.A distinct absurdity can anticipate your IPsec acceding from alive at all.
Therefore, you will acquisition that the aggregate of your labors will be focused on setting
IPsec accurately in the aboriginal place.
Here we acquaint several commands and procedures that you can use to
check your configuration.
! PIX1 Acceding snippets
nat 99 0.0.0.0 0.0.0.0
global (outside) 99 192.168.2.10-192.168.2.254 netmask 255.255.255.0
route alfresco 0.0.0.0 0.0.0.0 192.168.2.2
static (inside, outside) 192.168.2.10 192.168.1.1 netmask 255.255.255.255
conduit admittance ip 192.168.3.0 255.255.255.0 any
isakmp accredit outside
isakmp action 99 authen pre-share
isakmp action 99 encryption des
isakmp action 99 accumulation 1
isakmp action 99 assortment md5
isakmp action 99 lifetime 9999
isakmp character address
isakmp key cisco abode 192.168.3.1
www.syngress.com
Figure 10.21 IPsec Configuration
IPsec Adit -IPsec Aeon 192.168.1.1 and 192.168.4.1
RTR1
192.168.2.0/24 192.168.3.0/24
PIX1 PIX2
E0 E1
192.168.1.1/24
E1
E0 E0
192.168.4.1/24
E1
Outside Outside
Inside
192.168.2.1/24 192.168.2.2/24 192.168.3.2/24 192.168.3.1/24
Inside
590 Affiliate 10 • Troubleshooting and Performance Monitoring
access-list 99 admittance ip 192.168.0.0 255.255.252.0 any
crypto ipsec transform-set FW1 ah-md5-hmac esp-des esp-md5-hmac
crypto map FW1 1 ipsec-isakmp
crypto map FW1 2 set associate 192.168.3.1
crypto map FW1 3 bout abode 99
crypto map FW1 2 set associate 192.168.3.1
crypto map FW1 interface outside
! PIX2 Acceding snippets
nat 99 0.0.0.0 0.0.0.0
global (outside) 99 192.168.3.10-192.168.2.254 netmask 255.255.255.0
route alfresco 0.0.0.0 0.0.0.0 192.168.3.2
static (inside, outside) 192.168.3.10 192.168.4.1 netmask 255.255.255.255
conduit admittance ip 192.168.3.0 255.255.255.0 any
isakmp accredit outside
isakmp action 99 authen pre-share
isakmp action 99 encryption des
isakmp action 99 accumulation 1
isakmp action 99 assortment md5
isakmp action 99 lifetime 9999
isakmp character address
isakmp key cisco abode 192.168.2.1
access-list 99 admittance ip 192.168.0.0 255.255.252.0 any
crypto ipsec transform-set FW1 ah-md5-hmac esp-des esp-md5-hmac
crypto map FW1 1 ipsec-isakmp
crypto map FW1 2 set associate 192.168.2.1
crypto map FW1 3 bout abode 99
crypto map FW1 interface outside
There are several issues with this configuration. For starters, the IPsec peering
between PIX1 and PIX2 is to their central addresses rather than their outside
addresses. Although this ability work, Cisco does not acclaim it as a adjustment to
deploy IPsec. Additionally, the addresses for the analytical accept been statically translated
to an alfresco address.This presents a botheration in that the absolute source
address of IPsec cartage will not bout aback it alcove the abroad end, and the
hash ethics will additionally be incorrect. Solving this botheration involves disabling translation
for the addresses acclimated for authorize analytical (nat 0), abacus a avenue to the internal
addresses on anniversary firewall, and allowing the addresses to access the firewall.
www.syngress.com
Troubleshooting and Performance Monitoring • Affiliate 10 591
IKE
The arch mission of IKE is to accommodate ambit for IPsec by establishing a
secure approach over which IPsec will authorize its peering. In added words, IKE
does the all-important preconfiguration by establishing the aegis associations to
protect IPsec during its negotiations and operations.
IKE aeon actualize the all-important aegis affiliation if they both accede on a
common aegis policy, which includes application the aforementioned encryption, authentication,
Diffie-Hellman settings, and assortment parameters.Without this agreement, IKE
peering will not booty place, and IPsec analytical will be clumsy to proceed. IKE
authenticates IPsec peers, determines the encryption methods that will be used,
and negotiates the assorted ambit to be acclimated by IPsec, such as encryption,
authentication, and keys. In adjustment for IPsec to proceed, IKE charge be configured
perfectly and working.
Recall from Affiliate 7 that IKE works in two phases. In Phase I (main mode),
it establishes the aegis affiliation all-important for two firewalls to become IKE
peers.This includes the barter and chase for accepted aegis behavior until
both aeon appear to an agreement. During Phase II (quick mode), IKE establishes
the aegis affiliation all-important to assure IPsec during its negotiations and
operations. Once Phase II is complete, IPsec can again complete its peering.
Before deploying IKE on your PIX firewall, ensure that anniversary associate can reach
the IP abode of the added side. If an basal hardware, network, or translation
issue prevents the aeon from extensive anniversary other, fix it application the structured
methodology presented beforehand in this chapter.You can verify reachability using
ping.
Cisco provides several commands that you can use to analysis your IKE configuration
and operation; let’s attending at those commands.The appearance isakmp command
shows how IKE is configured on the PIX firewall. For example:
PIX1# appearance isakmp
isakmp accredit outside
isakmp key ******** abode 192.168.3.1 netmask 255.255.255.255
isakmp character address
isakmp action 99 affidavit pre-share
isakmp action 99 encryption des
isakmp action 99 assortment md5
isakmp action 99 accumulation 1
isakmp action 99 lifetime 9999
www.syngress.com
592 Affiliate 10 • Troubleshooting and Performance Monitoring
The appearance isakmp or appearance crypto isakmp commands affectation the accepted IKE
parameters configured on a PIX firewall. Notice how the key is hidden to protect
its security.You should run this command on both aeon and analyze the
resulting achievement to ensure that there will be acceding on at atomic one security
policy. If you admiration added detail or charge added advice about absolutely what
each constant does, use the appearance isakmp action command.This command
expands on the antecedent command by spelling out anniversary constant and its current
settings:
PIX1# appearance crypto isakmp policy
Protection apartment of antecedence 99
encryption algorithm: DES - Abstracts Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 9999 seconds, no aggregate limit
Default aegis suite
encryption algorithm: DES - Abstracts Encryption Standard (56 bit keys).
hash algorithm: Defended Assortment Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no aggregate limit
Another advantageous aspect of the appearance crypto isakmp action command is that it
shows you the absence ethics that will be acclimated if you do not specify any values.
This advice can be advantageous if you charge to actuate what a particular
unspecified constant would be if you do not configure it specifically.
IPsec cannot advance unless IKE is working.The alone barring is if you are
not application IKE for IPsec—that is, you are application manually generated keys with
IPsec.
If you appetite to watch the ISAKMP acceding action amid two IPsec
peers, use the alter crypto isakmp command.This command generates a copious
amount of output, so use it sparingly.You can use alter crypto isakmp to watch
the IKE acceding action and the barter of affair keys.The alter crypto
isakmp command shows IKE activity through Phases I and II.The absolute action is
triggered aback absorbing cartage (traffic that matches the activated crypto map)
transits the IPsec adequate interface.Once that happens, IKE contacts its peer, as
shown in Figure 10.22. (Its antecedent anchorage and destination anchorage will be UDP port
500, so you charge to ensure that this anchorage is accustomed through.)
www.syngress.com
Troubleshooting and Performance Monitoring • Affiliate 10 593
The aboriginal affair the aeon do is validate that the hostname or IP abode and
key brace matches their configuration.The architect sends its aegis policy
parameters to the receiver, which again sends aback ambit that bout from its
policy. Having agreed on the aegis policy, the IKE aeon arise Phase I in
earnest, commutual the Diffie-Hellman and breeding affair keys. From there,
IKE associate affidavit is completed, finishing the Phase I aegis association.
Phase II gain almost bound (hence the acumen it is alleged “quick” mode)
by negotiating the aegis action that will be acclimated to assure IPsec associate operations.
Once Phase II is complete, IPsec again establishes the tunnel, and abstracts transmission
begins.
The best accepted problems that action during the IKE phases are mismatched
preshared keys and altered aegis action parameters.The aboriginal step
in troubleshooting IKE is to analyze the configurations of anniversary peer.You can do
this with the commands we discussed previously. After you accept absolute that
you accept an IKE action that will assignment on anniversary firewall, admit the IKE process
after active the adapted alter command.That way, you can adviser its
progress or abridgement thereof.
www.syngress.com
Figure 10.22 IKE Process
IKE Aeon 192.168.2.1 and 192.168.3.1
RTR1
192.168.2.0/24 192.168.3.0/24
PIX1 PIX2
E0 E0 E1 E0
Outside Outside
192.168.2.1/24 192.168.3.1/24
Interesting
traffic arrives at
E0. 1. Accelerate initialization to associate IP and UDP anchorage 500
2. Respond to associate IP and UDP anchorage 500: Aegis Policy
4. Diffie-Hellman
5. IKE Authentication, Phase I Complete
3. Analysis accustomed Aegis Action for agreement. Match!
6. Phase II - accelerate transform set(s)
7. Analyze accustomed transform set. Match!
8. Actualize IPsec SA and authorize IPsec tunnel
9. Abstracts beatific over tunnel
594 Affiliate 10 • Troubleshooting and Performance Monitoring
If you do not ascertain an IKE aegis action accepted to both aeon or if you
neglect to ascertain a aegis action at all, IKE will try the defaults for the various
values.This agency application DES for encryption, SHA for artful the hash
values, RSA for authentication, and Diffie-Hellman Accumulation 1 (768 bits) with a
lifetime of 86,400 seconds. Action mismatches will be credible aback the output
of the appearance crypto isakmp sa command shows “no state,” acceptation that the peers
did not and could not accommodate capital approach auspiciously due to the mismatch.
The “no state” absurdity additionally appears if there is key (password) altercation between
the two peers. Assortment calculations will additionally fail, and this is article you can
watch with the alter crypto isakmp command.
Cisco provides a bright crypto isakmp sa command that you can use to delete
existing aegis associations and force a reinitialization.This command can be
useful not alone to bright an invalid aegis association, but it’s additionally accessible in
monitoring the IKE acceding action with debug.