Solved: Re: sh crypto iskamp sa on VPN ASA

mahesh18 · ‎01-12-2014

Hi Everyone,

I am studying about VPN these days.

I did

sh crypto isakmp sa

Active SA: 8
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 8

1   IKE Peer: 198.x
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
2   IKE Peer: 197.x
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
3   IKE Peer: 163.x
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
4   IKE Peer: 51.x
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
5   IKE Peer: 71.x
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
6   IKE Peer: 207.x
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
7   IKE Peer: 71.x
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
8   IKE Peer: 68.x
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE

Need to know what does this 8 peers mean here does this mean that it has IPSEC tunnels to 8 of these devices?

Regards

Mahesh

Jouni Forss · ‎01-12-2014

Hi Mahesh,

To my understanding that is exactly what it means. That there is 8 VPN connections to your ASA.

This output is the state of the Phase 1. There will only be one ISAKMP SA per VPN connection while there can be multiple IPsec SAs per VPN connection.

Above information tells us the IP address from which user is connecting and also tells us that the ASA has been the responder to this connection. It other words the other end of the VPN has opened/formed/initiated the connection. It also shows that Aggressive Mode is used (AM) which probably means that each of the above connections are VPN Client connections rather than L2L VPN connections.

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎01-12-2014

Hi,

There are other commands to get more information about the connections.

You could for example use

show vpn-sessiondb ?

Find the one there that refers to the Remote Access Clients. It might refer to Remote Access directly or mention IKEv1 RA as the next options (not in that exact format though). It depends on the ASA software version.

The following command would give you a summary of which type of connections there are on the ASA

show vpn-sessiondb summary

Have a try with the other commands with the way I showed above. I mean inserting the question mark "?" after the "show vpn-sessiondb" command so you can see the options.

With regards to the IP address, the IP address is the public IP address from which the connection was formed. Most of the time this is NAT IP address naturally at the remote end where the user is connecting from. For example if a VPN user was connecting from his/her home this public IP address would be his/her Internet router/modems public IP address.

If you had a L2L VPN connection then this public IP address visible would be that of the remote VPN device. This naturally can also be a NAT IP address if the VPN device is behind a NAT device and not directly connected to Internet.

The Phase 1 is always formed/negotiated. When its negotiated the VPN peers will use this Phase 1 connection to negotiate the Phase 2 securely and determine what traffic needs to be protected by the VPN.

The above is naturally a very simple explanation of the VPN. There is probably a lot more information if you are using some material to study the VPN.

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎01-12-2014

Hi,

The beginning of the output would seem to suggest that this device has only been used for Client VPN. Atleast from the time when it was last booted as we can only see IPsec Remote Access Cumulative Counter increased.

The same section shows that currenctly Active sessions are all IPsec Remote Access connections.

With regards to the end of the output I am not 100% sure.

It would seem to me that one of the VPN Clients connected is using UDP as its behind a NAT device (IPsecOverNatT) and rest of the 7 VPN Clients are using TCP to connect.

Would probably have to see some "show run crypto" and "show run group-policy" configurations on the device to confirm.

- Jouni

View solution in original post

Jouni Forss · ‎01-12-2014

Hi,

This command enables the use of TCP for the VPN Client connections. The previous 7 VPN Client connections are connecting with TCP.

crypto isakmp ipsec-over-tcp port 10000

It defines the TCP port to be TCP/10000 although I imagine it could be something else too. This is the default value. I would imagine that your VPN Client users would also have configuration under their VPN Client profiles configurations (the one they use to connect to this device) that selects them to use TCP. Normally the default setting on a newly created profile is to my understanding UDP.

You also seem to have these settings for UDP

ipsec-udp enable

ipsec-udp-port 10000

To be honest, I have not touched this setting previously so I am not sure what the purpose here is. To my understanding the VPN Client and ASA dont need any nondefault configurations to enable for the connection to use UDP. Maybe this sets the values regarding the UDP port to nondefault values. I can't really say unless I tested this at some point.

- Jouni

View solution in original post

Jouni Forss · ‎01-12-2014

Hi Mahesh,

To my understanding that is exactly what it means. That there is 8 VPN connections to your ASA.

This output is the state of the Phase 1. There will only be one ISAKMP SA per VPN connection while there can be multiple IPsec SAs per VPN connection.

Above information tells us the IP address from which user is connecting and also tells us that the ASA has been the responder to this connection. It other words the other end of the VPN has opened/formed/initiated the connection. It also shows that Aggressive Mode is used (AM) which probably means that each of the above connections are VPN Client connections rather than L2L VPN connections.

Hope this helps

- Jouni

mahesh18 · ‎01-12-2014

Hi Jouni,

So need to confirm these all 8 connections are Remote Access VPN connections where clients are connecting to the

Company network right?

Also IP address show are of the Client PC right?

Do the Remote Access VPN always stay in Phase 1 only?

Regards

Mahesh

Jouni Forss · ‎01-12-2014

Hi,

There are other commands to get more information about the connections.

You could for example use

show vpn-sessiondb ?

Find the one there that refers to the Remote Access Clients. It might refer to Remote Access directly or mention IKEv1 RA as the next options (not in that exact format though). It depends on the ASA software version.

The following command would give you a summary of which type of connections there are on the ASA

show vpn-sessiondb summary

Have a try with the other commands with the way I showed above. I mean inserting the question mark "?" after the "show vpn-sessiondb" command so you can see the options.

With regards to the IP address, the IP address is the public IP address from which the connection was formed. Most of the time this is NAT IP address naturally at the remote end where the user is connecting from. For example if a VPN user was connecting from his/her home this public IP address would be his/her Internet router/modems public IP address.

If you had a L2L VPN connection then this public IP address visible would be that of the remote VPN device. This naturally can also be a NAT IP address if the VPN device is behind a NAT device and not directly connected to Internet.

The Phase 1 is always formed/negotiated. When its negotiated the VPN peers will use this Phase 1 connection to negotiate the Phase 2 securely and determine what traffic needs to be protected by the VPN.

The above is naturally a very simple explanation of the VPN. There is probably a lot more information if you are using some material to study the VPN.

Hope this helps

- Jouni

mahesh18 · ‎01-12-2014

Hi Jouni,

I ran the command

sh vpn-sessiondb

Active Session Summary

Sessions:
                           Active : Cumulative : Peak Concurrent : Inactive
SSL VPN               :       0 :          0 :               0
    Clientless only     :       0 :          0 :               0
    With client         :       0 :          0 :               0 :        0
Email Proxy           :       0 :          0 :               0
IPsec LAN-to-LAN      :       0 :          0 :               0
IPsec Remote Access   :       8 :       3850 :              30
VPN Load Balancing    :       0 :          0 :               0
Totals                :       8 :       3850

License Information:
IPsec   :    750    Configured :    750    Active :      8    Load :   1%
SSL VPN :      2    Configured :      2    Active :      0    Load :   0%
                            Active : Cumulative : Peak Concurrent
IPsec               :          8 :       4797 :              30
SSL VPN             :          0 :          0 :               0
    AnyConnect Mobile :          0 :          0 :               0
    Linksys Phone     :          0 :          0 :               0
Totals              :          8 :       4797

Tunnels:
                      Active : Cumulative : Peak Concurrent
IKE           :         8 :       3850 :              30
IPsec         :          0 :          4 :               1
IPsecOverNatT :          1 :        606 :               7
IPsecOverTCP :          7 :       3240 :              24
Totals        :         16 :       7700

Active NAC Sessions:
No NAC sessions to display

Active VLAN Mapping Sessions:
No VLAN Mapping sessions to display

Under Tunnels it shows IKE 8 and IPSECOver NAT 1 and IPsecOver TCP 7.

Does this also refer to Remote Access VPN connection coming from user PC?

Are all the above 3 terms currently refer to Remote Access VPN?

Regards

MAhesh

Jouni Forss · ‎01-12-2014

Hi,

The beginning of the output would seem to suggest that this device has only been used for Client VPN. Atleast from the time when it was last booted as we can only see IPsec Remote Access Cumulative Counter increased.

The same section shows that currenctly Active sessions are all IPsec Remote Access connections.

With regards to the end of the output I am not 100% sure.

It would seem to me that one of the VPN Clients connected is using UDP as its behind a NAT device (IPsecOverNatT) and rest of the 7 VPN Clients are using TCP to connect.

Would probably have to see some "show run crypto" and "show run group-policy" configurations on the device to confirm.

- Jouni

mahesh18 · ‎01-12-2014

Hi Jouni,

Here is info

sh run crypto
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set strong esp-aes esp-sha-hmac
crypto ipsec transform-set strongest esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set strongest strong
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000

sh run group-policy
group-policy XGroupPolicy internal
group-policy XGroupPolicy attributes
wins-server none
dns-server value 192.168.50.1
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth enable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value corp.com
split-dns none
intercept-dhcp disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 15
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
vlan none
nac-settings none
address-pools value PoolCorp
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
homepage none
svc dtls enable
svc mtu 1406
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client 30
svc dpd-interval gateway 30
svc compression deflate
svc modules value vpngina
svc profiles none
svc ask none default webvpn
customization value DfltCustomization

group-policy DfltGrpPolicy attributes

wins-server value 192.168.50.1
dns-server value 192.168.50.1
vpn-tunnel-protocol IPSec svc
ipsec-udp enable
default-domain value corp.com
user-authentication-idle-timeout 15
address-pools value PoolDefault
group-policy YGroupPolicy internal
group-policy YGroupPolicy attributes
wins-server value 192.168.50.1
dns-server value 192.168.50.1
dhcp-network-scope none
vpn-tunnel-protocol IPSec
default-domain value corp.com
address-pools value PoolDefault

Thanks for helping me out.

Regards

Mahesh

Jouni Forss · ‎01-12-2014

Hi,

This command enables the use of TCP for the VPN Client connections. The previous 7 VPN Client connections are connecting with TCP.

crypto isakmp ipsec-over-tcp port 10000

It defines the TCP port to be TCP/10000 although I imagine it could be something else too. This is the default value. I would imagine that your VPN Client users would also have configuration under their VPN Client profiles configurations (the one they use to connect to this device) that selects them to use TCP. Normally the default setting on a newly created profile is to my understanding UDP.

You also seem to have these settings for UDP

ipsec-udp enable

ipsec-udp-port 10000

To be honest, I have not touched this setting previously so I am not sure what the purpose here is. To my understanding the VPN Client and ASA dont need any nondefault configurations to enable for the connection to use UDP. Maybe this sets the values regarding the UDP port to nondefault values. I can't really say unless I tested this at some point.

- Jouni

mahesh18 · ‎01-12-2014

Many thanks Jouni

Regards

MAhesh