Recently there were quite a few blog posts on VPN forums relating to troubleshooting common issues in IPsec VPN.
Ankur & others have posted a few nice articles.
I do find, however, that to troubleshoot core issues of IPsec VPN - be it a mis-configuration or a bug - you need to know how the protocol works.
And even if you do, different devices behave differently and provide different outputs.
What have I been up to
Over the course of last few months I have been trying to make it easy for wannabe troubleshooters to diagnose and enable to correct themselves common issues of IPsec VPN.
To do this however, let's recap what you should know about IKE
High level view of IKE version 1 exchange
As many of you know IKE version 1 has following modes:
- Aggressive mode
- Main mode
Aggressive mode is typically used for EzVPN when using pre-shared key (PSK).
Main mode is the mode we use when establishing Lan-to-Lan/DMVPN/SVTI tunnels or ezvpn with use of certificates.
Note that I refer to messages below, not packets. This is a common misconception, a message might need multiple packets to be sent.
Aggressive mode needs 3 messages to establish phase 1 association and additional 3 to establish IPsec SA to be able to pass traffic (called Quick Mode - QM).
Main mode exchanges 6 messages to establish phase 1 and again additional 3 messages to finish Quick Mode - same way as in aggressive mode.
The main advantage of main mode is that it is more secure. Aggressive mode will exchange your pre-shared key in a hashed form, but not encrypted. That is why to improve security users are required also to provide their username and password.
Result of my work.
The result of my work is a few articles to cover the most common deployments.
The intention is to help troubleshooters map CLI commands to messages in debugging and vice versa, understanding how messages in debugging map to configuration.
The documents will also serve as reference for people who would like to know how successful debugging session looks like.
Based on them you might be able to find where your session breaks.
Hopefully this help of those they will be able to spot problems without involving TAC. ;-)
Hello, If I want to use MAB on a bunch of devices from the same manufacturer that can;t do 802.1x can I create just a single MAB policy and have all the devices hit that policy or whi I have to enter every actual MAC address for each device?&nb...
Hello,does Cisco provide a security solution for traffic inspection for web servers (like the Fortinet solution FortiWeb: https://www.fortinet.com/de/products/web-application-firewall/fortiweb.html)?- SSL offload- inspection of decrypted traffic- specific...
ASAv Version 9.6(4). After a reboot of the EC2 instance, the ASAv looks like it comes up and is working correctly, but nothing gets routed and the NAT translation doesn't appear to work. Doing a show xlate only shows the NAT object definitions...
when i deploy my FTD appliance inline (running on a 4120 chassis) my backups (from a windows server to EMC data domain appliance) slow down dramatically the source and destination are in different subnet and traffic passes thru the firepower.&n...
https://www.cisco.com/c/dam/en/us/support/docs/ip/access-lists/44541-tacl.giffor the above scenario, i am looking for ways/Standards/mitigation to mitigate Ddos attack at edge. I read somewhere that it is generally prevented at ISP level, but as a securit...