Understanding of VPN IPSEC through virtual interface tunnel

Xavillon · ‎07-25-2017

Hello,

I have a question concerning the logic of VPN IPSEC through interface tunnel.

I found a lot of example concerning this kind of configuration but my understanding is blocked...

Example of configuration:

# CONFIGURATION OF PHASE 1

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key toto12345 address 0.0.0.0 0.0.0.0
!

# CONFIGURATION OF PHASE 2
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
!

# CONFIGURATION OF VTI WITH ASSOCIATION OF PHASE 2
interface Tunnel0
ip address 192.168.10.1 255.255.255.0
tunnel source 10.0.149.221
tunnel destination 10.0.149.220
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface FastEthernet0/0
ip address 10.0.149.221 255.255.255.0
duplex auto
speed auto
!

# ROUTE TO THE OTHER SIDE OF THE VPN IPSEC
ip route 20.20.20.0 255.255.255.0 tunnel0

How phase 1 assignation work? I can see that phase 2 is associated to a profile and this profile is associated to the VTI, but no information concerning the association of phase 1.

Thank you very much for your help.

BR

Georg Pauwen · ‎07-25-2017

Hello,

Phase 1 is just for ISAKMP negotiation. There is no direct connection to Phase 2. Phase 1 creates the first tunnel, and Phase 2 the second one, the one that protects the actual data. To use a simple analogy, Phase 1 creates the road, Phase 2 creates the cars that go over the road.

Does that make sense ?

Xavillon · ‎07-25-2017

Hello Georg,

Thank you for your answer.

It is clear.

But how I assign a phase 1 to a tunnel? In this example, I can see that phase 2 is assigned to tunnel0 but no mention of phase 1.

It work as following?

=> I create crypto isakmp policy and it take the more specific to the less specific and finally take the default without specific assignation?

Thank you.

BR

Georg Pauwen · ‎07-26-2017

Hello,

consider the following output. I just did a shut/no shut on the tunnel. Check the lines marked in bold. Phase 1 needs to finish first before the actual tunnel that transports the data comes up:

R1(config-if)#no shut
R1(config-if)#
*Jul 26 09:33:03.083: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Jul 26 09:33:03.119: ISAKMP:(0): SA request profile is (NULL)
*Jul 26 09:33:03.119: ISAKMP: Created a peer struct for 10.0.149.220, peer port 500
*Jul 26 09:33:03.123: ISAKMP: New peer created peer = 0x68FFC5B4 peer_handle = 0x80000006
*Jul 26 09:33:03.123: ISAKMP: Locking peer struct 0x68FFC5B4, refcount 1 for isakmp_initiator
*Jul 26 09:33:03.123: ISAKMP: local port 500, remote port 500
*Jul 26 09:33:03.127: ISAKMP: set new node 0 to QM_IDLE
*Jul 26 09:33:03.127: ISAKMP:(0):insert sa successfully sa = 68FFBAD0
*Jul 26 09:33:03.131: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jul 26 09:33:03.131: ISAKMP:(0):found peer pre-shared key matching 10.0.149.220
*Jul 26 09:33:03.135: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jul 26 09:33:03.139: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jul 26 09:33:03.139: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jul 26 09:33:03.139: ISAKMP:(0): co
R1(config-if)#nstructed NAT-T vendor-02 ID
*Jul 26 09:33:03.143: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jul 26 09:33:03.143: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Jul 26 09:33:03.147: ISAKMP:(0): beginning Main Mode exchange
*Jul 26 09:33:03.147: ISAKMP:(0): sending packet to 10.0.149.220 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jul 26 09:33:03.151: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jul 26 09:33:03.223: ISAKMP (0): received packet from 10.0.149.220 dport 500 sport 500 Global (I) MM_NO_STATE
*Jul 26 09:33:03.227: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 26 09:33:03.231: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

*Jul 26 09:33:03.231: ISAKMP:(0): processing SA payload. message ID = 0
*Jul 26 09:33:03.231: ISAKMP:(0): processing vendor id payload
*Jul 26 09:33:03.231: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jul 26 09:33:03.231: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jul 26 09:33:03.231: ISA
R1(config-if)#KMP:(0):found peer pre-shared key matching 10.0.149.220
*Jul 26 09:33:03.231: ISAKMP:(0): local preshared key found
*Jul 26 09:33:03.231: ISAKMP : Scanning profiles for xauth ...
*Jul 26 09:33:03.231: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jul 26 09:33:03.231: ISAKMP: encryption 3DES-CBC
*Jul 26 09:33:03.231: ISAKMP: hash SHA
*Jul 26 09:33:03.231: ISAKMP: default group 2
*Jul 26 09:33:03.231: ISAKMP: auth pre-share
*Jul 26 09:33:03.231: ISAKMP: life type in seconds
*Jul 26 09:33:03.231: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jul 26 09:33:03.231: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jul 26 09:33:03.231: ISAKMP:(0):Acceptable atts:actual life: 0
*Jul 26 09:33:03.231: ISAKMP:(0):Acceptable atts:life: 0
*Jul 26 09:33:03.231: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jul 26 09:33:03.231: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jul 26 09:33:03.231: ISAKMP:(0):Returning Actual lifetime
R1(config-if)#: 86400
*Jul 26 09:33:03.231: ISAKMP:(0)::Started lifetime timer: 86400.

*Jul 26 09:33:03.231: ISAKMP:(0): processing vendor id payload
*Jul 26 09:33:03.231: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jul 26 09:33:03.231: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jul 26 09:33:03.231: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 26 09:33:03.231: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

*Jul 26 09:33:03.235: ISAKMP:(0): sending packet to 10.0.149.220 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Jul 26 09:33:03.235: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jul 26 09:33:03.235: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 26 09:33:03.235: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

*Jul 26 09:33:03.279: ISAKMP (0): received packet from 10.0.149.220 dport 500 sport 500 Global (I) MM_SA_SETUP
*Jul 26 09:33:03.279: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 26 09:33:03.279: ISAKM
R1(config-if)#P:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

*Jul 26 09:33:03.279: ISAKMP:(0): processing KE payload. message ID = 0
*Jul 26 09:33:03.299: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jul 26 09:33:03.299: ISAKMP:(0):found peer pre-shared key matching 10.0.149.220
*Jul 26 09:33:03.299: ISAKMP:(1002): processing vendor id payload
*Jul 26 09:33:03.299: ISAKMP:(1002): vendor ID is Unity
*Jul 26 09:33:03.303: ISAKMP:(1002): processing vendor id payload
*Jul 26 09:33:03.303: ISAKMP:(1002): vendor ID is DPD
*Jul 26 09:33:03.303: ISAKMP:(1002): processing vendor id payload
*Jul 26 09:33:03.303: ISAKMP:(1002): speaking to another IOS box!
*Jul 26 09:33:03.303: ISAKMP:received payload type 20
*Jul 26 09:33:03.303: ISAKMP (1002): His hash no match - this node outside NAT
*Jul 26 09:33:03.303: ISAKMP:received payload type 20
*Jul 26 09:33:03.303: ISAKMP (1002): No NAT Found for self or peer
*Jul 26 09:33:03.303: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
R1(config-if)#MAIN_MODE
*Jul 26 09:33:03.303: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM4

*Jul 26 09:33:03.303: ISAKMP:(1002):Send initial contact
*Jul 26 09:33:03.303: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jul 26 09:33:03.303: ISAKMP (1002): ID payload
next-payload : 8
type : 1
address : 10.0.149.221
protocol : 17
port : 500
length : 12
*Jul 26 09:33:03.303: ISAKMP:(1002):Total payload length: 12
*Jul 26 09:33:03.303: ISAKMP:(1002): sending packet to 10.0.149.220 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jul 26 09:33:03.303: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Jul 26 09:33:03.303: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 26 09:33:03.303: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5

*Jul 26 09:33:03.323: ISAKMP (1002): received packet from 10.0.149.220 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jul 26 09:33:03.327: ISAKMP:(100
R1(config-if)#2): processing ID payload. message ID = 0
*Jul 26 09:33:03.327: ISAKMP (1002): ID payload
next-payload : 8
type : 1
address : 10.0.149.220
protocol : 17
port : 500
length : 12
*Jul 26 09:33:03.327: ISAKMP:(0):: peer matches *none* of the profiles
*Jul 26 09:33:03.327: ISAKMP:(1002): processing HASH payload. message ID = 0
*Jul 26 09:33:03.327: ISAKMP:(1002):SA authentication status:
authenticated
*Jul 26 09:33:03.327: ISAKMP:(1002):SA has been authenticated with 10.0.149.220
*Jul 26 09:33:03.327: ISAKMP: Trying to insert a peer 10.0.149.221/10.0.149.220/500/, and inserted successfully 68FFC5B4.
*Jul 26 09:33:03.327: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 26 09:33:03.327: ISAKMP:(1002):Old State = IKE_I_MM5 New State = IKE_I_MM6

*Jul 26 09:33:03.331: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 26 09:33:03.331: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_I_MM6

*Jul 2
R1(config-if)#6 09:33:03.331: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 26 09:33:03.331: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

*Jul 26 09:33:03.331: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of 1279834092
*Jul 26 09:33:03.331: ISAKMP:(1002):QM Initiator gets spi
*Jul 26 09:33:03.335: ISAKMP:(1002): sending packet to 10.0.149.220 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 26 09:33:03.335: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Jul 26 09:33:03.335: ISAKMP:(1002):Node 1279834092, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 26 09:33:03.335: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 26 09:33:03.335: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 26 09:33:03.335: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Jul 26 09:33:03.347: ISAKMP (1002): received packet from 10.0.149.220 dport 500 sport 500 Global (I) QM_IDLE
*Jul 26 09:33:03.355: ISAK
R1(config-if)#MP:(1002): processing HASH payload. message ID = 1279834092
*Jul 26 09:33:03.355: ISAKMP:(1002): processing SA payload. message ID = 1279834092
*Jul 26 09:33:03.355: ISAKMP:(1002):Checking IPSec proposal 1
*Jul 26 09:33:03.359: ISAKMP: transform 1, ESP_3DES
*Jul 26 09:33:03.359: ISAKMP: attributes in transform:
*Jul 26 09:33:03.359: ISAKMP: encaps is 1 (Tunnel)
*Jul 26 09:33:03.363: ISAKMP: SA life type in seconds
*Jul 26 09:33:03.363: ISAKMP: SA life duration (basic) of 3600
*Jul 26 09:33:03.363: ISAKMP: SA life type in kilobytes
*Jul 26 09:33:03.363: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 26 09:33:03.363: ISAKMP: authenticator is HMAC-SHA
*Jul 26 09:33:03.363: ISAKMP:(1002):atts are acceptable.
*Jul 26 09:33:03.363: ISAKMP:(1002): processing NONCE payload. message ID = 1279834092
*Jul 26 09:33:03.363: ISAKMP:(1002): processing ID payload. message ID = 1279834092
*Jul 26 09:33:03.363: ISAKMP:(1002): processing ID paylo
R1(config-if)#ad. message ID = 1279834092
*Jul 26 09:33:03.363: ISAKMP:(1002):Node 1279834092, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 26 09:33:03.363: ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Jul 26 09:33:03.371: ISAKMP: Failed to find peer index node to update peer_info_list
*Jul 26 09:33:03.371: ISAKMP:(1002):Received IPSec Install callback... proceeding with the negotiation
*Jul 26 09:33:03.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Jul 26 09:33:03.435: ISAKMP:(1002): sending packet to 10.0.149.220 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 26 09:33:03.435: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Jul 26 09:33:03.439: ISAKMP:(1002):deleting node 1279834092 error FALSE reason "No Error"
*Jul 26 09:33:03.439: ISAKMP:(1002):Node 1279834092, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Jul 26 09:33:03.443: ISAKMP:(1002):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_PHASE2_COMPLETE
R1(config-if)#end