10-01-2012 09:51 AM - edited 02-21-2020 06:22 PM
hi,
I think about switching my VPN backbone ipv4 (vti) in ipv6, but behind all my peers all is in ipv4.
So I would like to start in changing only backbone and not networks behind, is it possible ?
to resume, is it possible to make that :
ipv4 network A ==> Cisco ISR (ipv4 lan inside) | (ipv6 wan outside) <======= ipv6 ipsec vpn (vti)
=======> Cisco ISR (ipv6 wan outside) | (ipv4 lan inside) ==> ipv4 network B
Thanks for your comments.
Best regards
Nicolas
Solved! Go to Solution.
06-13-2013 12:04 AM
Nicolas,
Can you enable IPV6 unicast-routing on both sides and try again?
Cheers,
10-01-2012 10:42 AM
on the IOS-router you need to change your tunnel mode to GRE. With that you can transport v4 over a public v6 network.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-01-2012 11:18 PM
Hello Nicolas,
Currently, VTI [ IPSEC mode] works only ipv4 over ipv4 / ipv6 over ipv6.
Per RFC, in ikev2, we could have an overlay dual stack [ since we can have 2 TSi -TSr] but it's not yet implemented.
A dual stack approach would consume more ressources than GRE [ which is available today].
Therefore,we recommend the use of GRE [ protecting a single TSi-TRr with a single pair SA] since this maximise the scalability per device.
GRE allows you to encapsulate anything from ipv4 to ipv6 or cdp.
I hope this helps
Olivier,
CCIE Security #20306
06-11-2013 09:27 AM
Hi Olivier,
Just made some tests in lab and I have no success to do it :-(
I use 881 and 1841 both in 15.1(4)M6 and they are face to face
both sides : crypto isakmp policy 10 encr aes 256 hash md5 authentication pre-share group 5 crypto isakmp key cisco address ipv6 ::/0 crypto isakmp keepalive 60 10 ! crypto ipsec security-association lifetime seconds 28800 ! crypto ipsec transform-set ESP-AES-256-MD5 esp-aes 256 esp-md5-hmac mode transport ! crypto ipsec profile RACINE set transform-set ESP-AES-256-MD5 ! => 1841 interface Tunnel0 description vers test1 ip unnumbered FastEthernet0/1 ipv6 enable tunnel source FastEthernet0/0 tunnel mode gre ipv6 tunnel destination 2012::1 tunnel path-mtu-discovery tunnel protection ipsec profile RACINE interface FastEthernet0/1 description inside ip address 192.168.1.254 255.255.255.0 ip virtual-reassembly in ip route 192.168.0.0 255.255.0.0 Tunnel0 interface FastEthernet0/0 description outside no ip address duplex auto speed auto ipv6 address 2012::2/64 ipv6 enable ============================================= => 881 interface Tunnel0 description vers test2 ip unnumbered Vlan1 ipv6 enable tunnel source FastEthernet4 tunnel mode gre ipv6 tunnel destination 2012::2 tunnel path-mtu-discovery tunnel protection ipsec profile RACINE interface Vlan1 description inside ip address 192.168.0.254 255.255.255.0 ip virtual-reassembly in ip route 192.168.1.0 255.255.255.0 Tunnel0 interface FastEthernet4 description outside no ip address duplex auto speed auto ipv6 address 2012::1/64 ipv6 enable
===========================================
but it doesn't work, it seems ISAKMP is ok but not IPSEC
=>
================================
IPv6 Crypto ISAKMP SA
dst: 2012::2
src: 2012::1
conn-id: 1007 I-VRF: Status: ACTIVE Encr: aes Hash: md5
Auth: psk
DH: 5 Lifetime: 23:52:06 Cap: D Engine-id:Conn-id = SW:7
================================
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 2012::2
protected vrf: (none)
local ident (addr/mask/prot/port): (2012::2/128/47/0)
remote ident (addr/mask/prot/port): (2012::1/128/47/0)
current_peer 2012::1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 2, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 2012::2,
remote crypto endpt.: 2012::1
path mtu 1500, ipv6 mtu 1500, ipv6 mtu idb FastEthernet0/0
current outbound spi: 0x64631FC3(1684217795)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xE65495BB(3864303035)
transform: esp-256-aes esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2013, flow_id: FPGA:13, sibling_flags 80000006, crypto
map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4539633/28303)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x64631FC3(1684217795)
transform: esp-256-aes esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2014, flow_id: FPGA:14, sibling_flags 80000006, crypto
map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4539632/28303)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
=====================================
if you have an idea ?
Regards
Nicolas
06-11-2013 11:51 AM
Nicolas,
I see
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
How does it looks like on the other side? We encaps but we dont get traffic from the remote box.
Regards.
Olivier
06-11-2013 12:14 PM
Oiliver,
will check that tomorrow
what about configurations, seems ok for you ?
thanks
Nicolas
06-11-2013 12:29 PM
Hello
No there is nothing obvious that I would spot as wrong. Let's see what you have on the other side.
As long the other side is not an ASR1000 [ which requires XE37 to support gre ipv6] , it should be ok
06-11-2013 11:30 PM
so on my 881 I have well encaps/decaps :
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 2012::1
protected vrf: (none)
local ident (addr/mask/prot/port): (2012::1/128/47/0)
remote ident (addr/mask/prot/port): (2012::2/128/47/0)
current_peer 2012::2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 10, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 2012::1,
remote crypto endpt.: 2012::2
path mtu 1500, ipv6 mtu 1500, ipv6 mtu idb FastEthernet4
current outbound spi: 0x4B308178(1261470072)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x773CB510(2000467216)
transform: esp-256-aes esp-md5-hmac ,
in use settings ={Transport, }
conn id: 3, flow_id: Onboard VPN:3, sibling_flags 80000006, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4433065/28580)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4B308178(1261470072)
transform: esp-256-aes esp-md5-hmac ,
in use settings ={Transport, }
conn id: 4, flow_id: Onboard VPN:4, sibling_flags 80000006, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4433064/28580)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
=============================================
see debug after a "clear crypto session" and some ping tests :
============================================
test2#cle
test2#clear cry
test2#clear crypto se
test2#clear crypto session
test2#
*Jun 12 06:26:15.223: Schedule to delete SA 32.18.0.0:500 dst 32.18.0.0:500 fvrf 0x0, ivrf 0x0 in 60 seconds
*Jun 12 06:26:15.223: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 2012::2, sa_proto= 50,
sa_spi= 0x4B308178(1261470072),
sa_trans= esp-aes 256 esp-md5-hmac , sa_conn_id= 2003
sa_lifetime(k/sec)= (4578475/28800),
(identity) local= 2012::2:0, remote= 2012::1:0,
local_proxy= 2012::2/128/47/0 (type=5),
remote_proxy= 2012::1/128/47/0 (type=5)
*Jun 12 06:26:15.227: IPSEC(update_current_outbound_sa): updated peer 2012::1 current outbound sa to SPI 0
*Jun 12 06:26:15.227: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 2012::1, sa_proto= 50,
sa_spi= 0x773CB510(2000467216),
sa_trans= esp-aes 256 esp-md5-hmac , sa_conn_id= 2004
sa_lifetime(k/sec)= (4578475/28800),
(identity) local= 2012::2:0, remote= 2012::1:0,
local_proxy= 2012::2/128/47/0 (type=5),
remote_proxy= 2012::1/128/47/0 (type=5)
*Jun 12 06:26:16.227: ISAKMP: set new node 25783982 to QM_IDLE
*Jun 12 06:26:16.227: ISAKMP:(1002): sending packet to 2012::1 my_port 500 peer_port 500 (R) QM_IDLE
*Jun 12 06:26:16.227: ISAKMP:(1002):Sending an IKE IPv6 Packet.
*Jun 12 06:26:16.227: ISAKMP:(1002):purging node 25783982
*Jun 12 06:26:16.227: ISAKMP:(1002):peer does not do paranoid keepalives.
*Jun 12 06:26:16.227: ISAKMP:(1002):deleting SA reason "BY user command" state (R) QM_IDLE (peer 2012::1)
*Jun 12 06:26:16.227: ISAKMP:(1002):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
*Jun 12 06:26:16.227: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 12 06:26:16.227: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 12 06:26:16.227: IPSec: Key engine got a KEY_MGR_CHECK_MORE_SAS message
*Jun 12 06:26:16.231: ISAKMP (1002): IPSec has no more SA's with this peer. Won't keepalive phase 1.
*Jun 12 06:26:16.231: ISAKMP: set new node -1200329214 to QM_IDLE
*Jun 12 06:26:16.231: ISAKMP:(1002): sending packet to 2012::1 my_port 500 peer_port 500 (R) QM_IDLE
*Jun 12 06:26:16.231: ISAKMP:(1002):Sending an IKE IPv6 Packet.
*Jun 12 06:26:16.231: ISAKMP:(1002):purging node -1200329214
*Jun 12 06:26:16.231: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jun 12 06:26:16.231: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Jun 12 06:26:16.231: ISAKMP:(1002):deleting SA reason "BY user command" state (R) QM_IDLE (peer 2012::1)
*Jun 12 06:26:16.235: ISAKMP: Unlocking peer struct 0x67A9CEC8 for isadb_mark_sa_deleted(), count 0
*Jun 12 06:26:16.235: ISAKMP: Deleting peer node by peer_reap for 2012::1: 67A9CEC8
*Jun 12 06:26:16.235: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 12 06:26:16.235: ISAKMP:(1002):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Jun 12 06:26:16.235: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 12 06:26:16.235: ISAKMP (1002): received packet from 2012::1 dport 500 sport 500 Global (R) MM_NO_STATE
test2#
*Jun 12 06:26:28.271: ISAKMP (0): received packet from 2012::1 dport 500 sport 500 Global (N) NEW SA
*Jun 12 06:26:28.271: ISAKMP: Created a peer struct for 2012::1, peer port 500
*Jun 12 06:26:28.271: ISAKMP: New peer created peer = 0x66B7E378 peer_handle = 0x80000004
*Jun 12 06:26:28.271: ISAKMP: Locking peer struct 0x66B7E378, refcount 1 for crypto_isakmp_process_block
*Jun 12 06:26:28.271: ISAKMP: local port 500, remote port 500
*Jun 12 06:26:28.271: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 67FFDEC8
*Jun 12 06:26:28.271: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 12 06:26:28.271: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jun 12 06:26:28.275: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 12 06:26:28.275: ISAKMP:(0):found peer pre-shared key matching 2012::1
*Jun 12 06:26:28.275: ISAKMP:(0): local preshared key found
*Jun 12 06:26:28.275: ISAKMP : Scanning profiles for xauth ...
*Jun 12 06:26:28.275: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jun 12 06:26:28.275: ISAKMP: encryption AES-CBC
*Jun 12 06:26:28.275: ISAKMP: keylength of 256
*Jun 12 06:26:28.275: ISAKMP: hash MD5
*Jun 12 06:26:28.275: ISAKMP: default group 5
*Jun 12 06:26:28.275: ISAKMP: auth pre-share
*Jun 12 06:26:28.275: ISAKMP: life type in seconds
*Jun 12 06:26:28.275: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jun 12 06:26:28.275: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun 12 06:26:28.275: ISAKMP:(0):Acceptable atts:actual life: 0
*Jun 12 06:26:28.275: ISAKMP:(0):Acceptable atts:life: 0
*Jun 12 06:26:28.275: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun 12 06:26:28.275: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jun 12 06:26:28.275: ISAKMP:(0):Returning Actual lifetime: 86400
*Jun 12 06:26:28.275: ISAKMP:(0)::Started lifetime timer: 86400.
*Jun 12 06:26:28.275: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 12 06:26:28.275: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jun 12 06:26:28.279: ISAKMP:(0): sending packet to 2012::1 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jun 12 06:26:28.279: ISAKMP:(0):Sending an IKE IPv6 Packet.
*Jun 12 06:26:28.279: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 12 06:26:28.279: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Jun 12 06:26:28.283: ISAKMP (0): received packet from 2012::1 dport 500 sport 500 Global (R) MM_SA_SETUP
*Jun 12 06:26:28.283: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 12 06:26:28.283: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Jun 12 06:26:28.283: ISAKMP:(0): processing KE payload. message ID = 0
*Jun 12 06:26:28.491: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 12 06:26:28.491: ISAKMP:(0):found peer pre-shared key matching 2012::1
*Jun 12 06:26:28.491: ISAKMP:(1003): processing vendor id payload
*Jun 12 06:26:28.491: ISAKMP:(1003): vendor ID is DPD
*Jun 12 06:26:28.491: ISAKMP:(1003): processing vendor id payload
*Jun 12 06:26:28.491: ISAKMP:(1003): speaking to another IOS box!
*Jun 12 06:26:28.491: ISAKMP:(1003): processing vendor id payload
*Jun 12 06:26:28.491: ISAKMP:(1003): vendor ID seems Unity/DPD but major 52 mismatch
*Jun 12 06:26:28.491: ISAKMP:(1003): vendor ID is XAUTH
*Jun 12 06:26:28.491: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 12 06:26:28.491: ISAKMP:(1003):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Jun 12 06:26:28.495: ISAKMP:(1003): sending packet to 2012::1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jun 12 06:26:28.495: ISAKMP:(1003):Sending an IKE IPv6 Packet.
*Jun 12 06:26:28.495: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 12 06:26:28.495: ISAKMP:(1003):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Jun 12 06:26:28.579: ISAKMP (1003): received packet from 2012::1 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jun 12 06:26:28.579: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 12 06:26:28.579: ISAKMP:(1003):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Jun 12 06:26:28.583: ISAKMP:(1003): processing ID payload. message ID = 0
*Jun 12 06:26:28.583: ISAKMP (1003): ID payload
next-payload : 8
type : 5
address : 2012::1
protocol : 17
port : 500
length : 24
*Jun 12 06:26:28.583: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 12 06:26:28.583: ISAKMP:(1003): processing HASH payload. message ID = 0
*Jun 12 06:26:28.583: ISAKMP:received payload type 17
*Jun 12 06:26:28.583: ISAKMP:(1003): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x67FFDEC8
*Jun 12 06:26:28.583: ISAKMP:(1003):SA authentication status:
authenticated
*Jun 12 06:26:28.583: ISAKMP:(1003):SA has been authenticated with 2012::1
*Jun 12 06:26:28.583: ISAKMP:(1003):SA authentication status:
authenticated
*Jun 12 06:26:28.583: ISAKMP:(1003): Process initial contact,
bring down existing phase 1 and 2 SA's with local 2012::2 remote 2012::1 remote port 500
*Jun 12 06:26:28.583: ISAKMP: Trying to insert a peer 2012::2/2012::1/500/, and inserted successfully 66B7E378.
*Jun 12 06:26:28.583: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 12 06:26:28.583: ISAKMP:(1003):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Jun 12 06:26:28.583: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 12 06:26:28.587: ISAKMP:(1003):SA is doing pre-shared key authentication using id type ID_IPV6_ADDR
*Jun 12 06:26:28.587: ISAKMP (1003): ID payload
next-payload : 8
type : 5
address : 2012::2
protocol : 17
port : 500
length : 24
*Jun 12 06:26:28.587: ISAKMP:(1003):Total payload length: 24
*Jun 12 06:26:28.587: ISAKMP:(1003): sending packet to 2012::1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jun 12 06:26:28.587: ISAKMP:(1003):Sending an IKE IPv6 Packet.
*Jun 12 06:26:28.587: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 12 06:26:28.587: ISAKMP:(1003):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Jun 12 06:26:28.587: ISAKMP:(1003):IKE_DPD is enabled, initializing timers
*Jun 12 06:26:28.587: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 12 06:26:28.587: ISAKMP:(1003):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 12 06:26:28.591: ISAKMP (1003): received packet from 2012::1 dport 500 sport 500 Global (R) QM_IDLE
*Jun 12 06:26:28.591: ISAKMP: set new node -58530768 to QM_IDLE
*Jun 12 06:26:28.591: ISAKMP:(1003): processing HASH payload. message ID = 4236436528
*Jun 12 06:26:28.591: ISAKMP:(1003): processing SA payload. message ID = 4236436528
*Jun 12 06:26:28.591: ISAKMP:(1003):Checking IPSec proposal 1
*Jun 12 06:26:28.591: ISAKMP: transform 1, ESP_AES
*Jun 12 06:26:28.591: ISAKMP: attributes in transform:
*Jun 12 06:26:28.591: ISAKMP: encaps is 2 (Transport)
*Jun 12 06:26:28.591: ISAKMP: SA life type in seconds
*Jun 12 06:26:28.595: ISAKMP: SA life duration (basic) of 28800
*Jun 12 06:26:28.595: ISAKMP: SA life type in kilobytes
*Jun 12 06:26:28.595: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 12 06:26:28.595: ISAKMP: authenticator is HMAC-MD5
*Jun 12 06:26:28.595: ISAKMP: key length is 256
*Jun 12 06:26:28.595: ISAKMP:(1003):atts are acceptable.
*Jun 12 06:26:28.595: IPSEC(validate_proposal_request): proposal part #1
*Jun 12 06:26:28.595: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 2012::2:0, remote= 2012::1:0,
local_proxy= 2012::2/128/47/0 (type=5),
remote_proxy= 2012::1/128/47/0 (type=5),
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jun 12 06:26:28.595: IPSEC(ipsecv6_find_ident_map): found IPsecv6 map Tunnel0-head-0 seq_no 65537 for requested proxies.
*Jun 12 06:26:28.595: ISAKMP:(1003): processing NONCE payload. message ID = 4236436528
*Jun 12 06:26:28.595: ISAKMP:(1003): processing ID payload. message ID = 4236436528
*Jun 12 06:26:28.595: ISAKMP:(1003): processing ID payload. message ID = 4236436528
*Jun 12 06:26:28.595: ISAKMP:(1003):QM Responder gets spi
*Jun 12 06:26:28.595: ISAKMP:(1003):Node 4236436528, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 12 06:26:28.595: ISAKMP:(1003):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Jun 12 06:26:28.599: ISAKMP:(1003): Creating IPSec SAs
*Jun 12 06:26:28.599: inbound SA from 2012::1 to 2012::2 (f/i) 0/ 0
(proxy 2012::1 to 2012::2)
*Jun 12 06:26:28.599: has spi 0xCBF6D3FD and conn_id 0
*Jun 12 06:26:28.599: lifetime of 28800 seconds
*Jun 12 06:26:28.599: lifetime of 4608000 kilobytes
*Jun 12 06:26:28.599: outbound SA from 2012::2 to 2012::1 (f/i) 0/0
(proxy 2012::2 to 2012::1)
*Jun 12 06:26:28.599: has spi 0x188DD965 and conn_id 0
*Jun 12 06:26:28.599: lifetime of 28800 seconds
*Jun 12 06:26:28.599: lifetime of 4608000 kilobytes
*Jun 12 06:26:28.599: ISAKMP:(1003): sending packet to 2012::1 my_port 500 peer_port 500 (R) QM_IDLE
*Jun 12 06:26:28.599: ISAKMP:(1003):Sending an IKE IPv6 Packet.
*Jun 12 06:26:28.599: ISAKMP:(1003):Node 4236436528, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Jun 12 06:26:28.599: ISAKMP:(1003):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Jun 12 06:26:28.599: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 12 06:26:28.603: IPSEC(ipsecv6_find_ident_map): found IPsecv6 map Tunnel0-head-0 seq_no 65537 for requested proxies.
*Jun 12 06:26:28.603: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 2012::1
*Jun 12 06:26:28.603: IPSEC(create_sa): sa created,
(sa) sa_dest= 2012::2, sa_proto= 50,
sa_spi= 0xCBF6D3FD(3421950973),
sa_trans= esp-aes 256 esp-md5-hmac , sa_conn_id= 2005
sa_lifetime(k/sec)= (4572742/28800)
*Jun 12 06:26:28.603: IPSEC(create_sa): sa created,
(sa) sa_dest= 2012::1, sa_proto= 50,
sa_spi= 0x188DD965(411949413),
sa_trans= esp-aes 256 esp-md5-hmac , sa_conn_id= 2006
sa_lifetime(k/sec)= (4572742/28800)
*Jun 12 06:26:28.607: ISAKMP (1003): received packet from 2012::1 dport 500 sport 500 Global (R) QM_IDLE
*Jun 12 06:26:28.607: ISAKMP:(1003):deleting node -58530768 error FALSE reason "QM done (await)"
*Jun 12 06:26:28.607: ISAKMP:(1003):Node 4236436528, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 12 06:26:28.607: ISAKMP:(1003):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Jun 12 06:26:28.607: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 12 06:26:28.607: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Jun 12 06:26:28.607: IPSEC(key_engine_enable_outbound): enable SA with spi 411949413/50
*Jun 12 06:26:28.607: IPSEC(update_current_outbound_sa): get enable SA peer 2012::1 current outbound sa to SPI 188DD965
*Jun 12 06:26:28.607: IPSEC(update_current_outbound_sa): updated peer 2012::1 current outbound sa to SPI 188DD965
*Jun 12 06:27:16.235: ISAKMP:(1002):purging SA., sa=67FFD4AC, delme=67FFD4AC
*Jun 12 06:27:18.607: ISAKMP:(1003):purging node -58530768
test2#ping 192.168.0.
*Jun 12 06:27:34.699: ISAKMP (1003): received packet from 2012::1 dport 500 sport 500 Global (R) QM_IDLE
*Jun 12 06:27:34.699: ISAKMP: set new node 982830211 to QM_IDLE
*Jun 12 06:27:34.699: ISAKMP:(1003): processing HASH payload. message ID = 982830211
*Jun 12 06:27:34.699: ISAKMP:(1003): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 982830211, sa = 0x67FFDEC8
*Jun 12 06:27:34.699: ISAKMP:(1003):deleting node 982830211 error FALSE reason "Informational (in) state 1"
*Jun 12 06:27:34.699: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jun 12 06:27:34.699: ISAKMP:(1003):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 12 06:27:34.699: ISAKMP:(1003):DPD/R_U_THERE received from peer 2012::1, sequence 0xB227F79
*Jun 12 06:27:34.699: ISAKMP: set new node 1210782924 to QM_IDLE
*Jun 12 06:27:34.703: ISAKMP:(1003):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 1726403296, message ID = 1210782924
*Jun 12 06:27:34.703: ISAKMP:(1003): seq. no 0xB227F79
*Jun 12 06:27:34.703: ISAKMP:(1003): sending packet to 2012::1 my_port 500 peer_port 500 (R) QM_IDLE
*Jun 12 06:27:34.703: ISAKMP:(1003):Sending an IKE IPv6 Packet.
*Jun 12 06:27:34.703: ISAKMP:(1003):purging node 1210782924
*Jun 12 06:27:34.703: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE1
*Jun 12 06:27:34.703: ISAKMP:(1003):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
*Jun 12 06:27:37.875: ISAKMP: DPD received KMI message.
*Jun 12 06:27:37.875: ISAKMP: set new node 836561933 to QM_IDLE
*Jun 12 06:27:37.875: ISAKMP:(1003):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 1729152104, message ID = 836561933
*Jun 12 06:27:37.875: ISAKMP:(1003): seq. no 0x2D0964A1
*Jun 12 06:27:37.875: ISAKMP:(1003): sending packet to 2012::1 my_port 500 peer_port 500 (R) QM_IDLE
*Jun 12 06:27:37.875: ISAKMP:(1003):Sending an IKE IPv6 Packet.
*Jun 12 06:27:37.875: ISAKMP:(1003):purging node 836561933
*Jun 12 06:27:37.879: ISAKMP (1003): received packet from 2012::1 dport 500 sport 500 Global (R) QM_IDLE
*Jun 12 06:27:37.879: ISAKMP: set new node -2078384184 to QM_IDLE
*Jun 12 06:27:37.879: ISAKMP:(1003): processing HASH payload. message ID = 2216583112
*Jun 12 06:27:37.879: ISAKMP:(1003): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 2216583112, sa = 0x67FFDEC8
*Jun 12 06:27:37.879: ISAKMP:(1003): DPD/R_U_THERE_ACK received from peer 2012::1, sequence 0x2D0964A1
*Jun 12 06:27:37.879: ISAKMP:(1003):deleting node -2078384184 error FALSE reason "Informational (in) state 1"
*Jun 12 06:27:37.879: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jun 12 06:27:37.879: ISAKMP:(1003):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
.....
Success rate is 0 percent (0/5)
test2#ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
test2#
===================================================
any idea ?
Nicolas
06-11-2013 11:48 PM
Bonjour Nicolas,
So to summarize:
On the 1841 we have
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
On the 881 we have
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
meaning both sides are encapsulating traffic BUT they never receive the ESP packet from the other side.
Are we sure the ESP packets are exiting the 881 and 1841?
Are we sure the ESP packets are arriving on the 881 and 1841?
Regards,
06-11-2013 11:52 PM
Bonjour Olivier,
Yes I confirm, there is no ESP traffic between router
I put a sniffer between router and I can see only few ISAKMP packets, nothing more (or icmpv6...) but no ESP packets.
that's why I don't understand
Nicolas
06-12-2013 02:26 AM
wierd... I did a quick test on my boxes [151-4.M6]
R102#sh crypto session d
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Tunnel0
Profile: test
Uptime: 00:00:29
Session status: UP-ACTIVE
Peer: 2001:2::1 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 2001:2::1
Desc: (none)
IKEv1 SA: local 2001:1::1/500
remote 2001:2::1/500 Active
Capabilities:(none) connid:1001 lifetime:23:59:30
IPSEC FLOW: permit 47 host 2001:1::1 host 2001:2::1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 11 drop 0 life (KB/Sec) 4479445/3570
Outbound: #pkts enc'ed 17 drop 2 life (KB/Sec) 4479445/3570
The boxes are back to back? Any filters?
Do you have the same if disable the local HW accelerator and pick up show crypto eli prior disable HW accelerator [ to make sure IPV6 is listed ]
06-12-2013 03:10 AM
I have the same result as you (same with in disabling HW accelerator)
sh crypto eli :
hard encry active
nb of hard crypt eng : 1
crypto engin FPGA det : state = active
capability :....
ipsec session : 2 active 300 max 0 failes
:-(
06-12-2013 03:28 AM
Can you past both complete config ?
06-12-2013 10:27 AM
Nicolas,
Can you attached config + show ipv6 route + show crypto engine accell stati, from both sides?
My lab also works, software crypto.
M.
06-13-2013 12:02 AM
all infos asked :
on 881 :
==========================================================
test2#wr t
Building configuration...
Current configuration : 2101 bytes
!
! Last configuration change at 08:13:16 CEDT Thu Jun 13 2013
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname test2
!
boot-start-marker
boot system flash c1841-advipservicesk9-mz.151-4.M6.bin
boot-end-marker
!
!
enable password 7 0831424D1B4F56
!
no aaa new-model
!
clock timezone CEST 1 0
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dot11 syslog
no ip source-route
!
!
!
!
!
ip cef
no ip domain lookup
ip domain name education.gouv.fr
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO1841 sn FCZ104410AL
archive
log config
hidekeys
username clermont privilege 15 secret 4 XS7vUdQUY/uHCN04Hsr6Kqsfh1V9l76lhnXxAliCntU
!
redundancy
!
!
!
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key cisco address ipv6 ::/0
crypto isakmp keepalive 60 10
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes 256 esp-md5-hmac
mode transport
!
crypto ipsec profile RACINE
set transform-set ESP-AES-256-MD5
!
!
!
!
!
!
interface Tunnel0
description vers test1
ip unnumbered FastEthernet0/1
ipv6 enable
tunnel source FastEthernet0/0
tunnel mode gre ipv6
tunnel destination 2012::1
tunnel protection ipsec profile RACINE
!
interface FastEthernet0/0
description outside
no ip address
duplex auto
speed auto
ipv6 address 2012::2/64
ipv6 enable
!
interface FastEthernet0/1
description inside
ip address 192.168.1.254 255.255.255.0
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 192.168.0.0 255.255.255.0 Tunnel0
!
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 10 in
privilege level 15
login local
transport input ssh
transport output none
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
end
test2#sh ipv6 roiu
test2#sh ipv6 ro
test2#sh ipv6 route
IPv6 Routing Table - default - 3 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
D - EIGRP, EX - EIGRP external, ND - Neighbor Discovery, l - LISP
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C 2012::/64 [0/0]
via FastEthernet0/0, directly connected
L 2012::2/128 [0/0]
via FastEthernet0/0, receive
L FF00::/8 [0/0]
via Null0, receive
test2#sh cry
test2#sh crypto en
test2#sh crypto eng
test2#sh crypto engine ac
test2#sh crypto engine accelerator st
test2#sh crypto engine accelerator statistic
Device: FPGA
Location: Onboard: 0
:Statistics for encryption device since the last clear
of counters 81146 seconds ago
18 packets in 18 packets out
2472 bytes in 3288 bytes out
0 paks/sec in 0 paks/sec out
0 Kbits/sec in 0 Kbits/sec out
0 packets decrypted 18 packets encrypted
0 bytes before decrypt 2472 bytes encrypted
0 bytes decrypted 3288 bytes after encrypt
0 packets decompressed 0 packets compressed
0 bytes before decomp 0 bytes before comp
0 bytes after decomp 0 bytes after comp
0 packets bypass decompr 0 packets bypass compres
0 bytes bypass decompres 0 bytes bypass compressi
0 packets not decompress 0 packets not compressed
0 bytes not decompressed 0 bytes not compressed
1.0:1 compression ratio 1.0:1 overall
Last 5 minutes:
0 packets in 0 packets out
0 paks/sec in 0 paks/sec out
0 bits/sec in 0 bits/sec out
0 bytes decrypted 0 bytes encrypted
0 Kbits/sec decrypted 0 Kbits/sec encrypted
1.0:1 compression ratio 1.0:1 overall
FPGA:
ds: 0x675AEB10 idb:0x67AF66F0
Statistics for Virtual Private Network (VPN) Module:
18 packets in 18 packets out
0 paks/sec in 0 paks/sec out
0 Kbits/sec in 0 Kbits/sec out
0 packets decrypted 18 packets encrypted
packet overruns: 0 output packets dropped: 0
tx_hi_drops: 0 fw_failure: 0
invalid_sa: 0 invalid_flow: 0
null_ip_error: 0 pad_size_error: 0 out_bound_dh_acc: 0
esp_auth_fail: 0 ah_auth_failure: 0 crypto_pad_error: 0
ah_prot_absent: 0 ah_seq_failure: 0 ah_spi_failure: 0
esp_prot_absent:0 esp_seq_fail: 0 esp_spi_failure: 0
obound_sa_acc: 0 invalid_sa: 0 out_bound_sa_flow: 0
invalid_dh: 0 bad_keygroup: 0 out_of_memory: 0
no_sh_secret: 0 no_skeys: 0 invalid_cmd: 0
pak_too_big: 0
tx_lo_queue_size_max 0 cmd_unimplemented: 0
flow_cfg_mismatch 0 flow_ip_add_mismatch: 0
unknown_protocol 0 bad_particle_align: 0
81146 seconds since last clear of counters
Interrupts: Notify = 18
test2#
========================================================================
on 1841 :
========================================================================
test1#wr t
Building configuration...
Current configuration : 2117 bytes
!
! Last configuration change at 08:19:00 CEDT Thu Jun 13 2013
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname test1
!
boot-start-marker
boot-end-marker
!
!
enable password 7 0831424D1B4F56
!
no aaa new-model
!
memory-size iomem 10
clock timezone CEST 1 0
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
crypto pki token default removal timeout 0
!
!
no ip source-route
!
!
!
!
!
ip cef
no ip domain lookup
ip domain name education.gouv.fr
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FCZ17159431
!
!
username clermont privilege 15 secret 4 XS7vUdQUY/uHCN04Hsr6Kqsfh1V9l76lhnXxAliCntU
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key cisco address ipv6 ::/0
crypto isakmp keepalive 60 10
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes 256 esp-md5-hmac
mode transport
!
crypto ipsec profile RACINE
set transform-set ESP-AES-256-MD5
!
!
!
!
!
!
interface Tunnel0
description vers test2
ip unnumbered Vlan1
ipv6 enable
tunnel source FastEthernet4
tunnel mode gre ipv6
tunnel destination 2012::2
tunnel protection ipsec profile RACINE
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description outside
no ip address
duplex auto
speed auto
ipv6 address 2012::1/64
ipv6 enable
!
interface Vlan1
description inside
ip address 192.168.0.254 255.255.255.0
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 10 in
privilege level 15
login local
transport input ssh
transport output none
!
scheduler max-task-time 5000
end
test1#show ipv
test1#show ipv6 route
IPv6 Routing Table - default - 3 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
D - EIGRP, EX - EIGRP external, ND - Neighbor Discovery, l - LISP
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C 2012::/64 [0/0]
via FastEthernet4, directly connected
L 2012::1/128 [0/0]
via FastEthernet4, receive
L FF00::/8 [0/0]
via Null0, receive
test1#
test1#sh cry
test1#sh crypto en
test1#sh crypto eng
test1#sh crypto engine ac
test1#sh crypto engine accelerator st
test1#sh crypto engine accelerator statistic
Device: Onboard VPN
Location: Onboard: 0
:Statistics for encryption device since the last clear
of counters 81565 seconds ago
239 packets in 239 packets out
24856 bytes in 37284 bytes out
0 paks/sec in 0 paks/sec out
0 Kbits/sec in 0 Kbits/sec out
0 packets decrypted 239 packets encrypted
0 bytes before decrypt 24856 bytes encrypted
0 bytes decrypted 37284 bytes after encrypt
0 packets decompressed 0 packets compressed
0 bytes before decomp 0 bytes before comp
0 bytes after decomp 0 bytes after comp
0 packets bypass decompr 0 packets bypass compres
0 bytes bypass decompres 0 bytes bypass compressi
0 packets not decompress 0 packets not compressed
0 bytes not decompressed 0 bytes not compressed
1.0:1 compression ratio 1.0:1 overall
Last 5 minutes:
26 packets in 26 packets out
0 paks/sec in 0 paks/sec out
73 bits/sec in 109 bits/sec out
0 bytes decrypted 2704 bytes encrypted
0 Kbits/sec decrypted 73 Kbits/sec encrypted
1.0:1 compression ratio 1.0:1 overall
Errors:
Total Number of Packet Drops = 0
Pad Error = 0
Data Error = 0
Packet Error = 0
Null IP Error = 0
Hardware Error = 0
CP Unavailable = 0
HP Unavailable = 0
AH Seq Failure = 0
Link Down Error = 0
ESP Seq Failure = 0
AH Auth Failure = 0
ESP Auth Failure = 0
Queue Full Error = 0
API Request Error = 0
Invalid Flow Error = 0
Buffer Unavailable = 0
QOS Queue Full Error = 0
Packet too Big Error = 0
AH Replay Check Failure = 0
Too Many Particles Error = 0
ESP Replay Check Failure = 0
Input Queue Full Error = 0
Output Queue Full Error = 0
Pre-batch Queue Full Error = 0
Post-batch Queue Full Error = 0
BATCHING Statistics:
Batching Allowed
Batching currently Inactive
No of times batching turned on = 0
No of times batching turned off = 0
No of Flush Done = 0
Flush Timer in Milli Seconds = 8
Disable Timer in Seconds = 20
Threshold Crypto Paks/Sec
to enable batching = 2000
PRE-BATCHING Enabled
Pre-batch count, max_count = 0, 16
Packets queued to pre-batch queue = 0
Packets flushed from pre-batch queue = 0
The Pre-batch Queue Information
The Queuesize is = 128
The no entries currently being used = 0
The Read Index is = 0
The Write Index is = 0
The entries in use are between Read and Write Index
The entries in use are
POST-BATCHING Enabled
Post-batch count, max_count = 0, 16
Packets queued to post-batch queue = 0
Packets flushed from post-batch queue = 0
The Post-batch Queue Information
The Queuesize is = 128
The no entries currently being used = 0
The Read Index is = 0
The Write Index is = 0
The entries in use are between Read and Write Index
The entries in use are
test1#
=======================================================
regards
Nicolas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide