123399-General IPsec Troubleshooting
advertisement
Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL The router should send a UDP/500 packet towards the other peer. i.e. (IOS) IPv4 Crypto ISAKMP SA dst src state conn-id status 172.18.254.4 172.18.254.89 MM_NO_STATE 0 ACTIVE Check that the responder actually receives that UDP/500 packet. via: packet capture on the interface Hits on an permit entry for an interface ACL Inbound Netflow counters on the interface PROTOCOL FLOW We should see ISAKMP initiate. Check “show crypto isakmp sa” to see if an entry is created for us to the remote peer. MM1 The responder should receive the MM1 packet and also create an entry in it’s table. Check the table and see if there is an entry. If not successful you’ll [IKEv1 DEBUG]IP = 172.18.254.89, All SA proposals found unacceptable If successful you’ll see : [IKEv1 DEBUG]IP = 172.18.254.89, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 5 At this point the responder should send back UDP/500 Main Mode Message 2. You can see that with “show cry isakmp sa” i.e. (ASA) 1 IKE Peer: 172.18.254.89 Type : user Role : responder Rekey : no State : MM_WAIT_MSG3 PROTOCOL FLOW The responder should process the packet and negotiate which ISAKMP policy to choose. “debug crypto isakmp 128” should show you this. MM2 The initiator should receive the MM2 packet (UDP/500) process it. Debugs on IOS show: *Feb 1 21:44:23.314: ISAKMP (0): received packet from 1.1.1.102 dport 500 sport 500 Global (I) MM_NO_STATE *Feb 1 21:44:23.314: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 Debugs on IOS show: *Feb *Feb *Feb *Feb 1 21:44:23.315: ISAKMP:(0): sending packet to 1.1.1.102 my_port 500 peer_port 500 (I) MM_SA_SETUP 1 21:44:23.315: ISAKMP:(0):Sending an IKE IPv4 Packet. 1 21:44:23.315: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 1 21:44:23.315: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 The responder should get the MM3 packet (UDP/500) and Return MM4 (UDP/500) *Feb 1 21:44:23.315: (0): received packet from 1.1.1.102 dport 500 sport 500 Global (I) MM_SA_SETUP *Feb 1 21:44:23.315: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Feb 1 21:44:23.315: (0):Old State = IKE_I_MM3 New State = IKE_I_MM4 PROTOCOL FLOW The initiator should then send back MM3 (UDP/500) MM3 MM4 At this point the Initiator has enough information to determine whether either of the peers are behind NAT. If they are not communication remains to occur on UDP/500, however if they are then it switches to UDP/4500 The initiator should send Main Mode message 5. *Feb R100#show cry isa sa IPv4 Crypto ISAKMP SA dst src state conn-id status 1.1.1.102 1.1.1.100 MM_KEY_EXCH 1006 ACTIVE The Responder should receive MM5 and authenticate the Initiator. If responder successfully authenticates the peer it will send back MM6. If it fails the authentication the responder will re-transmit the last successful packet (i.e. MM4) back to the initiator. PROTOCOL FLOW *Feb *Feb *Feb *Feb 1 21:44:23.315: ISAKMP:(1002):Total payload length: 12 1 21:44:23.315: ISAKMP:(1002): sending packet to 1.1.1.102 my_port 500 peer_port 500 (I) MM_KEY_EXCH 1 21:44:23.315: ISAKMP:(1002):Sending an IKE IPv4 Packet. 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5 MM5 PROTOCOL FLOW *Feb 1 21:44:23.315: ISAKMP (1002): received packet from 1.1.1.102 dport 500 sport 500 Global (I) MM_KEY_EXCH *Feb 1 21:44:23.315: ISAKMP:(1002): processing ID payload. message ID = 0 *Feb 1 21:44:23.315: ISAKMP (1002): ID payload next-payload : 8 type :1 address : 1.1.1.102 protocol : 17 port : 500 length : 12 *Feb 1 21:44:23.315: ISAKMP:(0):: peer matches *none* of the profiles *Feb 1 21:44:23.315: ISAKMP:(1002): processing HASH payload. message ID = 0 *Feb 1 21:44:23.315: ISAKMP:(1002):SA authentication status: authenticated *Feb 1 21:44:23.315: ISAKMP:(1002):SA has been authenticated with 1.1.1.102 *Feb 1 21:44:23.315: ISAKMP: Trying to insert a peer 1.1.1.101/1.1.1.102/500/, and inserted successfully 52F9320. *Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_I_MM5 New State = IKE_I_MM6 *Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE MM6 Phase 1 COMPLETE The Phase 1 SA negotiation is complete and the initiator will now propose a phase 2 to protect traffic. The initiator will send QM1 which contains the requested IPsec SA parameters. *Feb *Feb *Feb *Feb *Feb *Feb 1 21:44:24.315: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of 196323019 1 21:44:24.315: ISAKMP:(1002):QM Initiator gets spi 1 21:44:24.315: ISAKMP:(1002): sending packet to 1.1.1.102 my_port 500 peer_port 500 (I) QM_IDLE 1 21:44:24.315: ISAKMP:(1002):Sending an IKE IPv4 Packet. 1 21:44:24.315: ISAKMP:(1002):Node 196323019, Input = IKE_MESG_INTERNAL, IKE_INIT_QM 1 21:44:24.315: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 If successful: *Feb *Feb *Feb *Feb *Feb *Feb *Feb *Feb *Feb *Feb *Feb *Feb *Feb 1 21:44:24.315: ISAKMP (1002): received packet from 1.1.1.102 dport 500 sport 500 Global (I) QM_IDLE 1 21:44:24.315: ISAKMP:(1002): processing HASH payload. message ID = 196323019 1 21:44:24.315: ISAKMP:(1002): processing SA payload. message ID = 196323019 1 21:44:24.315: ISAKMP:(1002):Checking IPSec proposal 1 1 21:44:24.315: ISAKMP: transform 1, ESP_3DES 1 21:44:24.315: ISAKMP: attributes in transform: 1 21:44:24.315: ISAKMP: encaps is 2 (Transport) 1 21:44:24.315: ISAKMP: SA life type in seconds 1 21:44:24.315: ISAKMP: SA life duration (basic) of 3600 1 21:44:24.315: ISAKMP: SA life type in kilobytes 1 21:44:24.315: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 1 21:44:24.315: ISAKMP: authenticator is HMAC-MD5 1 21:44:24.315: ISAKMP:(1002):atts are acceptable. PROTOCOL FLOW The responder will validate the proposal. It will check the proposed SA against it’s ACL, peer, and transform configuration. It will send back QM2 to notify whether the proposal was accepted or not. QM1 If not successful: The initiator will the acknowledge the acceptance with QM3 and complete the phase 2 installation. *Feb *Feb *Feb *Feb *Feb 1 21:44:23.315: ISAKMP:(1002): sending packet to 1.1.1.102 my_port 500 peer_port 500 (I) QM_IDLE 1 21:44:23.315: ISAKMP:(1002):Sending an IKE IPv4 Packet. 1 21:44:23.315: ISAKMP:(1002):deleting node 196323019 error FALSE reason "No Error" 1 21:44:23.315: ISAKMP:(1002):Node 196323019, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE PROTOCOL FLOW *Feb 1 21:44:23.315: ISAKMP (1002): received packet from 1.1.1.102 dport 500 sport 500 Global (I) QM_IDLE *Feb 1 21:44:23.315: ISAKMP: set new node 1984354591 to QM_IDLE *Feb 1 21:44:23.315: ISAKMP:(1002): processing HASH payload. message ID = 1984354591 *Feb 1 21:44:23.315: ISAKMP:(1002): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 2340447730, message ID = 1984354591, sa = 4990F28 *Feb 1 21:44:23.315: ISAKMP:(1002): deleting spi 2340447730 message ID = 24306363 *Feb 1 21:44:23.315: ISAKMP:(1002):deleting node 24306363 error TRUE reason "Delete Larval" *Feb 1 21:44:23.315: ISAKMP:(1002):deleting node 1984354591 error FALSE reason "Informational (in) state 1" *Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE QM2 QM3 Phase 2 COMPLETE
