topic Ah ok, I believe the issue is in Network Security

IPSEC Tunnel

jeniferdcosta1 — Tue, 12 Mar 2019 06:53:26 GMT

Dears

It might be stupid question but want to clarify, I am creating a ipsec tunnel between a voice router and cucm to secure from internal LAN users, but they both are in same premises and in same subnet,10.10.10.1 is for voice gateway and for cucm it is 10.10.10.2. Is this possible to build a ipsec tunnel within the subnet between the 2 devices.??

I can understant that i can keep it in different subnet but it is possible within the same subnet.??

Also i tried building the tunnel but when i execute the command show crypto ipsec sa i didnt saw any packet encrypted of voice signalling but the isakmp tunnel was showing me active.

thanks

As long as you have IP

Marius Gunnerud — Sun, 15 Nov 2015 05:13:03 GMT

As long as you have IP connectivity between the devices you can build an IPsec VPN tunnel between them.

Please remember to select a correct answer and rate helpful posts

Dear Marius,

jeniferdcosta1 — Sun, 15 Nov 2015 05:26:16 GMT

Dear Marius,

attached is the snapshot for configuration on CUCM.

Also i tried building the tunnel but when i execute the command show crypto ipsec sa i didnt saw any packet encrypted of voice signalling but the isakmp tunnel was showing me active.

#sh run | b crypto
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 10.10.4.2 no-xauth
!
!
crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
!
crypto map MGCP-MAP 10 ipsec-isakmp
set peer 10.10.4.2
set transform-set IPSEC-SET
set pfs group2
match address 110

sh crypto ipsec sa

interface: GigabitEthernet0/0
Crypto map tag: MGCP-MAP, local addr 10.229.4.8

   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.10.4.8/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.10.4.2/255.255.255.255/0/0)
   current_peer 10.10.4.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.229.4.8, remote crypto endpt.: 10.229.4.2
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.10.4.8 10.10.4.2 MM_NO_STATE 0 ACTIVE (deleted)

I am no expert on CUCM but it

Marius Gunnerud — Sun, 15 Nov 2015 05:51:25 GMT

I am no expert on CUCM but it looks like you are missing the hash in your crypto isakmp policy

hash sha256

Also you have it set to transport mode on the CUCM or transport on the router side. default on the router is tunneled mode.

crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac

mode transport

Try adding that and see if the tunnel comes up.

But to be perfectly honost, you should set this up on its own VLAN. Doing this via a VPN on the same network is a bit messy and uneeded.

Please remember to select a correct answer and rate helpful posts

Dear thanks for the reply.

jeniferdcosta1 — Sun, 15 Nov 2015 18:14:46 GMT

Dear thanks for the reply.

now the status i snot steady on the below it wait for sometime and then again it goes to MM_NO_STATE

sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.10.4.8 10.10.4.2 QM_IDLE 1016 ACTIVE

i dont get any option for hash256 except only the below

VG_01(config)#crypto isakmp policy 10

_VG_01(config-isakmp)#hash sha ?
<cr>

001332: Nov 13 08:10:48.287: ISAKMP:(1014):beginning Quick Mode exchange, M-ID of 2237452007
001333: Nov 13 08:10:48.287: ISAKMP:(1014):QM Initiator gets spi
001334: Nov 13 08:10:48.287: ISAKMP:(1014): sending packet to 10.10.4.2 my_port 500 peer_port 500 (I) QM_IDLE
001335: Nov 13 08:10:48.287: ISAKMP:(1014):Sending an IKE IPv4 Packet.
001336: Nov 13 08:10:48.287: ISAKMP:(1014):Node 2237452007, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
001337: Nov 13 08:10:48.287: ISAKMP:(1014):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
001338: Nov 13 08:10:48.287: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
001339: Nov 13 08:10:48.287: ISAKMP:(1014):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

001340: Nov 13 08:10:48.287: ISAKMP (1014): received packet from 10.10.4.2 dport 500 sport 500 Global (I) QM_IDLE
001341: Nov 13 08:10:48.287: ISAKMP: set new node -1502355529 to QM_IDLE
001342: Nov 13 08:10:48.287: ISAKMP:(1014): processing HASH payload. message ID = 2792611767
001343: Nov 13 08:10:48.287: ISAKMP:(1014): processing NOTIFY INVALID_ID_INFO protocol 1
spi 0, message ID = 2792611767, sa = 0x31B85428
001344: Nov 13 08:10:48.287: ISAKMP:(1014):peer does not do paranoid keepalives.

001345: Nov 13 08:10:48.287: ISAKMP:(1014):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 10.10.4.2)
001346: Nov 13 08:10:48.287: ISAKMP:(1014):deleting node -1502355529 error FALSE reason "Informational (in) state 1"
001347: Nov 13 08:10:48.287: ISAKMP:(1014):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
001348: Nov 13 08:10:48.287: ISAKMP:(1014):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

001349: Nov 13 08:10:48.287: ISAKMP: set new node 1147210847 to QM_IDLE
001350: Nov 13 08:10:48.291: ISAKMP:(1014): sending packet to 10.10.4.2 my_port 500 peer_port 500 (I) QM_IDLE
001351: Nov 13 08:10:48.291: ISAKMP:(1014):Sending an IKE IPv4 Packet.
001352: Nov 13 08:10:48.291: ISAKMP:(1014):purging node 1147210847
001353: Nov 13 08:10:48.291: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001354: Nov 13 08:10:48.291: ISAKMP:(1014):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

001355: Nov 13 08:10:48.291: ISAKMP:(1014):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 10.10.4.2)
001356: Nov 13 08:10:48.291: ISAKMP: Unlocking peer struct 0x3230D2F8 for isadb_mark_sa_deleted(), count 0
001357: Nov 13 08:10:48.291: ISAKMP: Deleting peer node by peer_reap for 10.10.4.2: 3230D2F8
001358: Nov 13 08:10:48.291: ISAKMP:(1014):deleting node -2057515289 error FALSE reason "IKE deleted"
001359: Nov 13 08:10:48.291: ISAKMP:(1014):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
001360: Nov 13 08:10:48.291: ISAKMP:(1014):Old State = IKE_DEST_SA New State = IKE_DEST_SA

001361: Nov 13 08:10:48.291: ISAKMP (1014): received packet from 10.10.4.2 dport 500 sport 500 Global (I) MM_NO_STATE

Ah ok, I believe the issue is

Marius Gunnerud — Mon, 16 Nov 2015 18:15:01 GMT

Ah ok, I believe the issue is that some of the management packets / keepalive packets are going through the VPN tunnel... so in hindsite, I do not think this is going to work after all.

You would need to have a different IP to source packets from than the interface onwhich you are terminating the VPN

Please remember to select a correct answer and rate helpful posts