Solved: Re: Cisco IPSec site-to-site Tunnel

GW M · ‎03-12-2018

I have two Cisco 2911 routers configured with a site to site IPSec tunnel w/pre-shared keys between the main site and a remote site. Both sites are also providing remote Anyconnect VPN client access. I would like to use Main mode versus Aggressive mode for the site-to-site tunnel and only allow aggressive mode for the VPN clients. Is there a way to do this? Below is the remote site config

crypto keyring site2site
pre-shared-key address x.x.x.50 key 6 xxxxxxxx
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10 periodic
!
crypto isakmp client configuration group remote-clients
key 6 xxxxxxxx
pool VPN-clients
acl 104
max-logins 1
crypto isakmp profile site-to-site
description Site to site VPN Tunnel profile connection
keyring site2site
match identity address x.x.x.50 255.255.255.255
keepalive 30 retry 3
crypto isakmp profile vpnclients
description VPN Clients profile connection
match identity group remote-clients
client authentication list vpnclientauth
isakmp authorization list vpngroupauth
client configuration address respond
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec fragmentation after-encryption
crypto ipsec df-bit clear
!
crypto dynamic-map SDM_DYNMAP_1 2
set transform-set ESP-3DES-SHA
set isakmp-profile vpnclients
reverse-route
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer x.x.x.50
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile site-to-site
match address 100
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

interface GigabitEthernet0/0
ip address dhcp client-id GigabitEthernet0/0
crypto map SDM_CMAP_1

Richard Burts · ‎03-15-2018

GW

Unfortunately my reading of the documentation is that aggressive-mode disable is a global command. If you disable it then it is disabled for everyone. I continue to wonder if the way to resolve your issue is to have a way to tell whether the incoming request for ISAKMP is related to site to site or to remote access.

You have logic in the config that would do the right thing once we know whether the request will be for remote access or for site to site. But when that initial request comes in the router does not know which it will be.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎03-12-2018

Your description talks about AnyConnect as the Remote Access VPN client. But I am not seeing anything in the partial config about AnyConnect. What I am seeing for client looks much more like IPsec client. Can you clarify?

I am not seeing anything in the partial config that you posted that specifies anything about main mode or aggressive mode. Am I missing something?

My experience is that IPsec remote access clients typically want to use Aggressive mode while site to site usually uses Main mode. If you do not configure anything specific to the mode I would assume that each would work.

HTH

Rick

HTH

Rick

GW M · ‎03-12-2018

We connect with the Cisco VPN client.

Richard Burts · ‎03-12-2018

Thanks for clarifying that it is the old Cisco IPsec VPN client rather than AnyConnect. Can you address my question about where and how you are specifying aggressive vs main mode?

HTH

Rick

HTH

Rick

GW M · ‎03-12-2018

I'm not specifying aggressive or main mode for the site to site VPN. It's automatically choosing it. I would like the site to site to be force to use main mode while the client VPN continues to use aggressive mode.

Richard Burts · ‎03-13-2018

I am not clear whether you are saying that you are getting a behavior that you do not want (aggressive mode in site to site) and need to correct it or if the behavior is ok and you just want a way to require it instead of allowing the VPN to choose the mode. Can you clarify?

HTH

Rick

HTH

Rick

GW M · ‎03-13-2018

I would like the site-to-site tunnels to use Main mode, which I force them by using the crypto isakmp aggressive-mode disable" command in the configuration. Unfortunately, the VPN clients using pre-shared keys now fail because they want to use aggressive mode. Is there a way to force the VPN clients to use aggressive mode while still keeping the site-to-site tunnels as main mode?

Thanks

GW

Richard Burts · ‎03-13-2018

GW

I agree that disabling aggressive mode has consequences for your remote access clients that you can not accept. With aggressive mode enabled are you finding that your site to site VPNs are using aggressive mode? My experience has been that with both remote access and site to site VPN that each one chooses the alternative that I wish they would. I wonder if your experience is different.

HTH

Rick

HTH

Rick

GW M · ‎03-13-2018

With aggressive mode enabled, I am finding that my site-to-site VPNs will use aggressive mode.

GW

Richard Burts · ‎03-13-2018

GW

Thanks for the clarification. That is different from my experience. Is the site to site typically initiated from your site or from the remote site? You posted the crypto parts of the config from the remote. Could you also post the crypto parts of your config?

HTH

Rick

HTH

Rick

GW M · ‎03-13-2018

The site-to-site tunnel is initiated from then remote site to the data center site. My original config that I posted was from the remote site. Below is the data center site config

crypto keyring site2site
pre-shared-key address x.x.x.65 255.255.248.0 key 6 xxxxxxxxx
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group remote-clients
key 6 xxxxxx
pool VPN-clients
acl 104
max-logins 1
crypto isakmp profile site-to-site
description Site to site VPN Tunnel profile connection
keyring site2site
match identity address 0.0.0.0
keepalive 30 retry 3
crypto isakmp profile vpnclients
description VPN Clients profile connection
match identity group remote-clients
client authentication list vpnclientauth
isakmp authorization list vpngroupauth
client configuration address respond
initiate mode aggressive
local-address GigabitEthernet0/0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile site-to-site
match address 100
crypto dynamic-map SDM_DYNMAP_1 2
set transform-set ESP-3DES-SHA
set isakmp-profile vpnclients
reverse-route
!
!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
interface GigabitEthernet0/0
ip address x.x.x.50 255.255.255.248
crypto map SDM_CMAP_1

Richard Burts · ‎03-14-2018

Thanks for the config. This is puzzling. My experience and what I am seeing in the documentation says that the default for site to site VPN is to use Main mode and that Aggressive mode can be used if one of the peers specifies it. But I do not see anything in the configs that you have shared that specifies aggressive mode for site to site. As I continue to look at this it would be helpful to know what version of software you are running on these routers.

There is some possibility that what you are experiencing is the result of a bug. If you have a support contract it might be a good idea to open a case with Cisco TAC and have them look into it.

HTH

Rick

HTH

Rick

GW M · ‎03-14-2018

Is there an easy way to determine with a CLI command if the site-to-site is using main mode or aggressive mode? I am running c2900-universalk9-mz.SPA.151-4.M1.bin

dcrouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
x.x.x.50 site-to-site QM_IDLE 1263 ACTIVE
x.x.x.50 vpn-remote-client QM_IDLE 1268 ACTIVE
x.x.x.50 site-to-site QM_IDLE 1262 ACTIVE

IPv6 Crypto ISAKMP SA

GW

Richard Burts · ‎03-15-2018

GW

I am not aware of an easy way to use CLI command to determine which mode was used. If there had been an issue in the negotiation that prevented the negotiation from completing, or if you caught it while the negotiation was going on you would find indications of Main Mode or of Aggressive Mode in the output of show crypto isakmp sa. But once ISAKMP phase 1 has completed and it goes into the next phase then all it shows is QM for Quick mode.

I have been thinking about this issue. Starting from the perspective that the default behavior is for site to site VPN to use Main Mode and to use Aggressive Mode only if one of the peers had configuration that specified Aggressive. So what in the config is specifying Aggressive? I have an idea to explore. Your hub config uses dynamic crypto maps for both site to site and for remote access VPN. When the initial packet for ISAKMP comes in it is just a request for ISAKMP and there is no way to know whether it will wind up being site to site or remote access. So the router takes the ISAKMP request and needs to match it to a policy and a profile. It seems to be matching the request to the policy and profile for remote access. I wonder if running debug crypto for isakmp might indicate which choice it is making?

If my idea holds up it seems that one way to solve this issue would be to change the config on the hub router and to specify static crypto map entries for each of the remote sites. That way when the initial ISAKMP request comes in it would either match the specific entry for site to site or would match the dynamic entry for remote access.

HTH

Rick

HTH

Rick

GW M · ‎03-15-2018

I can force the site-to-site to use Main mode by issuing the "crypto isakmp aggressive-mode disable" command and it works great! Unfortunately, the VPN clients can't connect because they want to use Aggressive mode. Is there a way to use the "crypto isakmp aggressive-mode disable" command to force all site-to-site tunnels to use Main mode and issue some other command specifically for the VPN clients that forces them to use Aggressiive mode?

GW