cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

Understanding ASA IPSec and IKE debugs - IKEv1 Aggressive Mode.

11198
Views
10
Helpful
0
Comments

 

 

Disclaimer: This is best effort work only, it may (and probably is) not 100% correct. This work will be corrected as corrective feedback is received.

1. Introduction

 

This document will attempt to describe how to understand debugs on ASA when aggressive mode and pre shared key (PSK) is being used.

How to translate certain debug lines into configuration.

 

What will not be discussed:

- passing traffic after tunnel has been established.

- basic concepts of IPSec or IKE.

 

2. Core issue

 

IKE and IPSec debugs tend to get cryptic, TAC will very often use them to understand where a problem with IPSec VPN tunnel establishment is located.

 

3. Scenario

 

Aggressive mode is typically used in case of EZVPN, both software (Cisco VPN client) and hardware clients (ASA 5505 or IOS routers), but only when using pre shared key (PSK).

Those debugs are from ASA 8.3.2 (EZVPN server), EZVPN client will be a router, in client mode.

 

3.1 Debugs used.

debug crypto isakmp 127

debug crypto ipsec 127

3.2 Hardware client configuration.

crypto ipsec client ezvpn EZ
connect manual
group EZ key cisco
mode client
peer 10.48.67.14
username cisco password cisco
xauth userid mode local


interface FastEthernet4
ip address 10.48.66.23 255.255.254.0
duplex auto
speed auto
crypto ipsec client ezvpn EZ
end

interface Vlan1
ip address 172.16.0.1 255.255.255.0
crypto ipsec client ezvpn EZ inside
end

3.3 ASA configuration.


ASA configuration is meant to be strictly basic, no external servers are used.

 

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.48.67.14 255.255.254.0

 

crypto ipsec transform-set TRA esp-aes esp-sha-hmac

 

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

 

crypto dynamic-map DYN 10 set transform-set TRA
crypto dynamic-map DYN 10 set reverse-route

 

crypto map MAP 65000 ipsec-isakmp dynamic DYN
crypto map MAP interface outside

 

crypto isakmp enable outside

 

crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

 


username cisco password  cisco
username cisco attributes
vpn-framed-ip-address 192.168.1.100 255.255.255.0

tunnel-group EZ type remote-access
tunnel-group EZ general-attributes
default-group-policy EZ
tunnel-group EZ ipsec-attributes
pre-shared-key *****

group-policy EZ internal
group-policy EZ attributes
password-storage enable

4. Debugging

4.1 Phase 1 - Aggressive mode.

Aggressive mode consist of 3 messages.

 

4.1.1 Aggressive mode message 1 (AM1); sent from client to server.

Includes:

- capabilities (Vendor IDs)

- isakmp proposals

- group (identity)

- PSK

- Diffie-Hellman exchange.

 

%ASA-6-302015: Built inbound UDP connection 655 for outside:10.48.66.23/500 (10.48.66.23/500) to identity:10.48.67.14/500 (10.48.67.14/500)

%ASA-7-713236: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 1134

%ASA-7-715047: IP = 10.48.66.23, processing SA payload

%ASA-7-715047: IP = 10.48.66.23, processing VID payload

%ASA-7-715049: IP = 10.48.66.23, Received NAT-Traversal RFC VID

%ASA-7-715047: IP = 10.48.66.23, processing VID payload

%ASA-7-715047: IP = 10.48.66.23, processing VID payload

%ASA-7-715049: IP = 10.48.66.23, Received NAT-Traversal ver 03 VID

%ASA-7-715047: IP = 10.48.66.23, processing VID payload

%ASA-7-715049: IP = 10.48.66.23, Received NAT-Traversal ver 02 VID

%ASA-7-715047: IP = 10.48.66.23, processing ke payload

%ASA-7-715047: IP = 10.48.66.23, processing ISA_KE payload

%ASA-7-715047: IP = 10.48.66.23, processing nonce payload

%ASA-7-715047: IP = 10.48.66.23, processing ID payload

%ASA-7-715047: IP = 10.48.66.23, processing VID payload

%ASA-7-715049: IP = 10.48.66.23, Received DPD VID

%ASA-7-715047: IP = 10.48.66.23, processing VID payload

%ASA-7-715049: IP = 10.48.66.23, Received xauth V6 VID

%ASA-7-715047: IP = 10.48.66.23, processing VID payload

%ASA-7-715050: IP = 10.48.66.23, Claims to be IOS but failed authentication

%ASA-7-715047: IP = 10.48.66.23, processing VID payload

%ASA-7-715049: IP = 10.48.66.23, Received Cisco Unity client VID

%ASA-7-713906: IP = 10.48.66.23, Connection landed on tunnel_group EZ

%ASA-7-715047: Group = EZ, IP = 10.48.66.23, processing IKE SA payload

%ASA-7-715028: Group = EZ, IP = 10.48.66.23, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 1

Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 1134


Relevant configuration.

ISAKMP being enabled on interface and at least one policy defined and matching what client sent.

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

 

Tunnel-group matching the identity name present.

tunnel-group EZ type remote-access
tunnel-group EZ general-attributes
default-group-policy EZ
tunnel-group EZ ipsec-attributes
pre-shared-key cisco

 

4.1.2 Aggressive mode message 2 (AM2); sent from server to client.

- capabilities.

- Diffie-Hellman exchange.

- NAT detection payload.


Oct 28 15:30:24 [IKEv1 DEBUG]%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing ISAKMP SA payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing ke payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing nonce payload
%ASA-7-713906: Group = EZ, IP = 10.48.66.23, Generating keys for Responder...
: IP = 10.48.66.23, processing SA payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing ID payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing hash payload
%ASA-7-715076: Group = EZ, IP = 10.48.66.23, Computing hash for ISAKMP
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing Cisco Unity VID payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing xauth V6 VID payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing dpd vid payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing NAT-Traversal VID ver 02 payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing NAT-Discovery payload
%ASA-7-713906: Group = EZ, IP = 10.48.66.23, computing NAT Discovery hash
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing NAT-Discovery payload
%ASA-7-713906: Group = EZ, IP = 10.48.66.23, computing NAT Discovery hash
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing Fragmentation VID + extended capabilities payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing VID payload
%ASA-7-715048: Group = EZ, IP = 10.48.66.23, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

%ASA-7-713236: IP = 10.48.66.23, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8)+ VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 444
Oct 28 15:30:24 [IKEv1 DEBUG]: IP = 10.48.66.23, processing VID payload

 

4.1.3 Aggressive mode message 3 (AM3); sent from client to server.


Contains:

- NAT discovery and decision.

%ASA-7-713236: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NAT-D (130) + NAT-D (130) + NOTIFY (11) + NONE (0) total length : 128
%ASA-7-715047: Group = EZ, IP = 10.48.66.23, processing hash payload
%ASA-7-715076: Group = EZ, IP = 10.48.66.23, Computing hash for ISAKMP
%ASA-7-715047: Group = EZ, IP = 10.48.66.23, processing NAT-Discovery payload
%ASA-7-713906: Group = EZ, IP = 10.48.66.23, computing NAT Discovery hash
%ASA-7-715047: Group = EZ, IP = 10.48.66.23, processing NAT-Discovery payload
%ASA-7-713906: Group = EZ, IP = 10.48.66.23, computing NAT Discovery hash
%ASA-7-715047: Group = EZ, IP = 10.48.66.23, processing notify payload
%ASA-6-713172: Group = EZ, IP = 10.48.66.23, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOTbehind a NAT device
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing blank hash payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing qm hash payload

 

 

4.2 Phase 1.5 - Xauth and Mode config.

 

Xauth - eXtended AUTHentication. User authentication.

 

Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE SENDING Message (msgid=7f8bcb91) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0)total length : 72
Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=7f8bcb91) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 82
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, IP = 10.48.66.23, process_attr(): Enter!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, IP = 10.48.66.23, Processing MODE_CFG Reply attributes.
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: primary DNS = cleared
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: secondary DNS = cleared
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: primary WINS = cleared
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: secondary WINS = cleared
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: IP Compression = disabled
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, User (cisco) authenticated.
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing blank hash payload
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing qm hash payload
Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE SENDING Message (msgid=a5d79e97) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0)total length : 64
Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=a5d79e97) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, process_attr(): Enter!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Processing cfg ACK attributes

 

Relevant configuration:

username cisco password cisco

 

Mode config - request and provide authentication attributes.


Contains:

- Request for parameters to configure client.

- Reply - at least and IP address and mask in typical scenario.


Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=f582f52e) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 393
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, process_attr(): Enter!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Processing cfg Request attributes
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for IPV4 address!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for IPV4 net mask!
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Received unknown transaction mode attribute: 28692
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Received unknown transaction mode attribute: 28693
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for DNS server address!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for DNS server address!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for WINS server address!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for WINS server address!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Split Tunnel List!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Split DNS!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Default Domain Name!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Save PW setting!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Local LAN Include!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for PFS setting!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for backup ip-sec peer list!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Application Version!
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Client Type: IOS  Client Application Version: 12.4(20)T5
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Banner!
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Received unknown transaction mode attribute: 28695
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for DHCP hostname for DDNS is: bsns-871-3!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Obtained IP addr (192.168.1.100) prior to initiating Mode Cfg(XAuth enabled)
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Sending subnet mask (255.255.255.0) to remote client
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Assigned private IP address 192.168.1.100 to remote user
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing blank hash payload
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing qm hash payload
Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE SENDING Message (msgid=f582f52e) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0)total length : 173



Oct 28 15:30:24 [IKEv1 DECODE]: IP = 10.48.66.23, IKE Responder starting QM: msg id = 8bd3cce6
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Gratuitous ARP sent for 192.168.1.100
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, PHASE 1 COMPLETED
Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE SENDING Message (msgid=6531fd86) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 92

Relevant configuration:

(Note in my case I'm assigning user always same IP)

username cisco attributes
vpn-framed-ip-address 192.168.1.100 255.255.255.0

 

Only now is IPSec phase 1 completed and we are begining:

 

4.3 Phase 2 - Quick mode.

 

4.3.1 Quick mode message 1 (QM1)

- phase two encryption algorithms (IPsec transform sets)

- tunnel type and encryption.

- proxy ID - "what I would like to put in the tunnel?"

Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=8bd3cce6) with payloads : HDR + HASH (8) + SA (1) + NONCE (10)+ ID (5) + ID (5) + NONE (0) total length : 1276

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing hash payload

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing SA payload

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing nonce payload

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing ID payload

Oct 28 15:30:24 [IKEv1 DECODE]: Group = EZ, Username = cisco, IP = 10.48.66.23, ID_IPV4_ADDR ID received

192.168.1.100

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Received remote Proxy Host data in ID Payload: Address 192.168.1.100, Protocol 0, Port 0

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing ID payload

Oct 28 15:30:24 [IKEv1 DECODE]: Group = EZ, Username = cisco, IP = 10.48.66.23, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Received local IP Proxy Subnet data in ID Payload:   Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, QM IsRekeyed old sa not found by addr

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKE Remote Peer configured for crypto map: DYN

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing IPSec SA payload

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IPSec SA Proposal # 1, Transform # 1 acceptable  Matches global IPSec SA entry # 10

 

Relevant configuration:

crypto dynamic-map DYN 10 set transform-set TRA

 

4.3.2 Quick mode message 2 (QM2)

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKE: requesting SPI!

IPSEC: New embryonic SA created @ 0x5416EBD0,

    SCB: 0x53707C08,

    Direction: inbound

    SPI      : 0xD6602721

    Session ID: 0x00067000

    VPIF num  : 0x00000002

    Tunnel type: ra

    Protocol   : esp

    Lifetime   : 240 seconds

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKE got SPI from key engine: SPI = 0xd6602721

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, oakley constucting quick mode

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing blank hash payload

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing IPSec SA payload

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing IPSec nonce payload

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing proxy ID

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Transmitting Proxy Id:

  Remote host: 192.168.1.100  Protocol 0  Port 0

  Local subnet:  0.0.0.0  mask 0.0.0.0 Protocol 0  Port 0

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Sending RESPONDER LIFETIME notification to Initiator

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing qm hash payload

Oct 28 15:30:24 [IKEv1 DECODE]: Group = EZ, Username = cisco, IP =  10.48.66.23, IKE Responder sending 2nd QM pkt: msg id = 8bd3cce6

Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE SENDING Message

(msgid=8bd3cce6) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) +

ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 196

 

Relevant configuration:

tunnel-group EZ type remote-access  !(tunnel type ra = tunnel type remote-access)
crypto ipsec transform-set TRA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN 10 set transform-set TRA
crypto map MAP 65000 ipsec-isakmp dynamic DYN
crypto map MAP interface outside

4.3.3 Quick mode message 3 (QM3)

Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=8bd3cce6) with payloads : HDR + HASH (8) + NONE (0) total length : 52

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing hash payload

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, loading all IPSEC SAs

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Generating Quick Mode Key!

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, NP encrypt rule look up for crypto map DYN 10 matching ACL Unknown: returned cs_id=53cacff8; rule=00000000

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Generating Quick Mode Key!

IPSEC: New embryonic SA created @ 0x54173AD0,

    SCB: 0x536EFC00,

    Direction: outbound

    SPI      : 0x8C52372D

    Session ID: 0x00067000

    VPIF num  : 0x00000002

    Tunnel type: ra

    Protocol   : esp

    Lifetime   : 240 seconds

IPSEC: Completed host OBSA update, SPI 0x8C52372D

IPSEC: Creating outbound VPN context, SPI 0x8C52372D

    Flags: 0x00000005

    SA   : 0x54173AD0

    SPI  : 0x8C52372D

    MTU  : 1500 bytes

    VCID : 0x00000000

    Peer : 0x00000000

    SCB  : 0x04E59681

    Channel: 0x4C69CD00

IPSEC: Completed outbound VPN context, SPI 0x8C52372D

    VPN handle: 0x0019BB3C

IPSEC: New outbound encrypt rule, SPI 0x8C52372D

    Src addr: 0.0.0.0

    Src mask: 0.0.0.0

    Dst addr: 192.168.1.100

    Dst mask: 255.255.255.255

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Protocol: 0

    Use protocol: false

    SPI: 0x00000000

    Use SPI: false

IPSEC: Completed outbound encrypt rule, SPI 0x8C52372D

    Rule ID: 0x536FEF98

IPSEC: New outbound permit rule, SPI 0x8C52372D

    Src addr: 10.48.67.14

    Src mask: 255.255.255.255

    Dst addr: 10.48.66.23

    Dst mask: 255.255.255.255

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Protocol: 50

    Use protocol: true

    SPI: 0x8C52372D

    Use SPI: true

IPSEC: Completed outbound permit rule, SPI 0x8C52372D

    Rule ID: 0x4CB82D38

IPSEC: Applying VPN filter BLA_3

IPSEC: Completed outbound user rule, SPI 0x8C52372D

    Rule ID: 0x00000004

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, NP encrypt rule look up for crypto map DYN 10 matching ACL Unknown: returned cs_id=53cacff8; rule=00000000

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Security negotiation complete for User (cisco)  Responder, Inbound SPI = 0xd6602721, Outbound SPI = 0x8c52372d

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKE got a KEY_ADD msg for SA: SPI = 0x8c52372d

IPSEC: Completed host IBSA update, SPI 0xD6602721

IPSEC: Creating inbound VPN context, SPI 0xD6602721

    Flags: 0x00000006

    SA   : 0x5416EBD0

    SPI  : 0xD6602721

    MTU  : 0 bytes

    VCID : 0x00000000

    Peer : 0x0019BB3C

    SCB  : 0x04E50703

    Channel: 0x4C69CD00

IPSEC: Completed inbound VPN context, SPI 0xD6602721

    VPN handle: 0x0019C174

IPSEC: Updating outbound VPN context 0x0019BB3C, SPI 0x8C52372D

    Flags: 0x00000005

    SA   : 0x54173AD0

    SPI  : 0x8C52372D

    MTU  : 1500 bytes

    VCID : 0x00000000

    Peer : 0x0019C174

    SCB  : 0x04E59681

    Channel: 0x4C69CD00

IPSEC: Completed outbound VPN context, SPI 0x8C52372D

    VPN handle: 0x0019BB3C

IPSEC: Completed outbound inner rule, SPI 0x8C52372D

    Rule ID: 0x536FEF98

IPSEC: Completed outbound outer SPD rule, SPI 0x8C52372D

    Rule ID: 0x4CB82D38

IPSEC: New inbound tunnel flow rule, SPI 0xD6602721

    Src addr: 192.168.1.100

    Src mask: 255.255.255.255

    Dst addr: 0.0.0.0

    Dst mask: 0.0.0.0

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Protocol: 0

    Use protocol: false

    SPI: 0x00000000

    Use SPI: false

IPSEC: Completed inbound tunnel flow rule, SPI 0xD6602721

    Rule ID: 0x4CB84870

IPSEC: New inbound decrypt rule, SPI 0xD6602721

    Src addr: 10.48.66.23

    Src mask: 255.255.255.255

    Dst addr: 10.48.67.14

    Dst mask: 255.255.255.255

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Protocol: 50

    Use protocol: true

    SPI: 0xD6602721

    Use SPI: true

IPSEC: Completed inbound decrypt rule, SPI 0xD6602721

    Rule ID: 0x541476E0

IPSEC: New inbound permit rule, SPI 0xD6602721

    Src addr: 10.48.66.23

    Src mask: 255.255.255.255

    Dst addr: 10.48.67.14

    Dst mask: 255.255.255.255

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Protocol: 50

    Use protocol: true

    SPI: 0xD6602721

    Use SPI: true

IPSEC: Completed inbound permit rule, SPI 0xD6602721

    Rule ID: 0x4CB840B0

IPSEC: Applying VPN filter BLA_3

IPSEC: Completed inbound user rule, SPI 0xD6602721

    Rule ID: 0x00000004

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Pitcher: received KEY_UPDATE, spi 0xd6602721

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Starting P2 rekey timer: 27360 seconds.

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Adding static route for client address: 192.168.1.100

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, PHASE 2 COMPLETED (msgid=8bd3cce6)

Relevant configuration:

crypto ipsec transform-set TRA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN 10 set transform-set TRA
crypto dynamic-map DYN 10 set reverse-route   !adding static route ....

 

Phase 2 is now finished, but client also graciously sends us information about itself.

If you look carefully you will find:

- hostname of EZVPN client

- software being run on client

- location and name of software

 

Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=91facca9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 184
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing hash payload
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing notify payload
Oct 28 15:30:24 [IKEv1 DECODE]: OBSOLETE DESCRIPTOR - INDEX 1
Oct 28 15:30:24 [IKEv1 DECODE]: 0000: 00000000 7534000B 62736E73 2D383731     ....u4..bsns-871
0010: 2D332E75 32000943 6973636F 20383731     -3.u2..Cisco 871
0020: 7535000B 46484B30 39343431 32513675     u5..FHK094412Q6u
0030: 36000932 32383538 39353638 75390009     6..228589568u9..
0040: 31343532 31363331 32753300 2B666C61     145216312u3.+fla
0050: 73683A63 3837302D 61647669 70736572     sh:c870-advipser
0060: 76696365 736B392D 6D7A2E31 32342D32     vicesk9-mz.124-2
0070: 302E5435 2E62696E                       0.T5.bin

 

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Processing PSK Hash
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 192.168.1.100, Inconsistent PSK hash size
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, PSK Hash Verification Failed!

 

5. Established tunnel.

Let's have a look at established tunnel.

5.1 ISAKMP

Command:

sh cry isa sa det

Output:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

 

1   IKE Peer: 10.48.66.23
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
    Encrypt : aes             Hash    : SHA
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 86387


AM_ACTIVE - aggressive mode is active.

5.2 IPSec

Command:

 sh crypto ipsec sa

Output: (Note the different SPI values than negotiated above! This is in fact same tunnel after phase 2 rekey.)

interface: outside
    Crypto map tag: DYN, seq num: 10, local addr: 10.48.67.14

 

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.100/255.255.255.255/0/0)

      current_peer: 10.48.66.23, username: cisco
      dynamic allocated peer ip: 192.168.1.100

 

     #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
      #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

 

      local crypto endpt.: 10.48.67.14/0, remote crypto endpt.: 10.48.66.23/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: C4B9A77C
      current inbound spi : EA2B6B15

 

    inbound esp sas:
      spi: 0xEA2B6B15 (3928714005)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 425984, crypto-map: DYN
         sa timing: remaining key lifetime (sec): 28714
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000003F
    outbound esp sas:
      spi: 0xC4B9A77C (3300501372)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 425984, crypto-map: DYN
         sa timing: remaining key lifetime (sec): 28714
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

6. Further reading

A good place to start is wikipedia article on IPSec.

Standard and references contains a lot of useful information:

http://en.wikipedia.org/wiki/IPsec

Understanding main mode debugs on ASA:

https://supportforums.cisco.com/docs/DOC-14044

Understanding aggressive mode debug on IOS:

https://supportforums.cisco.com/docs/DOC-17021

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here