What is IPSEC?
IPSec stands for “IP Security” and the standard definition of IPSEC is–
“A security protocol in the network layer will be developed to provide cryptographic security services that will flexibly support combinations of authentication, integrity, access control, and confidentiality” (IETF)
It is a standard for privacy, integrity and authenticity.
IPSEC Protocol Architecture
IPSEC is basically a combination of three primary protocols ESP(protocol 50), AH(protocol 51) and IKE(UDP 500)
For Authentication: Authentication Header (AH) and Encapsulating Security Payload (ESP)
For Integrity Check: Encapsulating Security Payload (ESP)
For Confidentiality: Encapsulating Security Payload (ESP)
Bringing it all together: Internet key Exchange (IKE)
IPSEC is implemented in the following five stages:
Decision to use IPSEC between two end points across internet
Configuration of the two gateways between the end points to support IPSEC
Initiation of an IPSEC tunnel between the two gateways due to ‘interesting traffic’
Negotiation of IPSEC/IKE parameters between the two gateways
Passage of encrypted traffic
IPSec Troubleshooting Steps
- Check for interesting traffic to initiate tunnel, check crypto ACLs for hit counts
– If not, verify Routing (static or RRI)
- Verify if IKE SA is up (QM_Idle) for that peer
– If not, verify for matching Pre-shared keys
– Verify that the IKE policies (encr, auth, DH) are matching
– Verify for matching IKE Identities
- Verify if IPSec SAs are up (Inbound and Outbound SPIs)
– If not, verify for matching IPSec transform sets
– Verify for mirrored crypto ACLs on each side
– Verify that the Crypto Map is applied on the right interface
- Turn on IKE/IPSec debugs
IPSec Show Commands
- To show IKE SA information:
– show crypto isakmp sa <vrf> [detail]
– show crypto isakmp peer <ip-addr>
- To show IPSec SA information:
– show crypto ipsec sa [ address | detail | interface | map | per | vrf ]
- To show IKE and IPSec information together :
– show crypto session [ fvrf | group | ivrf ] username | detail ]
– show crypto engine connection active
Cisco IOS IPSec Debugging
- These are the current IKE/IPSec debugs available; the highlighted ones are the most useful typically
- Make sure to use Crypto Conditional Debugs when trying to troubleshoot production routers
debug crypto isakmp
debug crypto isakmp error
debug crypto isakmp ha
debug crypto ipsec
debug crypto ipsec error
debug crypto routing
debug crypto ha
debug crypto engine error
debug crypto engine packet
Crypto Conditional Debugging
We can use crypto conditional debugging when we are troubleshooting live networks and specially where there are multiple tunnels running on the device.
- The crypto conditional debug CLIs—debug crypto condition, debug crypto condition unmatched, and show crypto debug-condition— allow you to specify conditions (filter values) in which to generate and display debug messages related only to the specified conditions
- The router will perform conditional debugging only after at least one of the global crypto debug commands—debug crypto isakmp, debug crypto ipsec, or debug crypto engine—has been enabled; thi s requirement helps to ensure that the performance of the router will not be impacted when conditional debugging is not being used
- To enable crypto conditional debugging:
– debug crypto condition <cond-type> <cond-value>
– debug crypto { isakmp | ipsec | engine }
- To view crypto condition debugs that have been enabled:
– show crypto debug-condition [ all | peer | fvrf | ivrf | isakmp | username | connid | spi ]
- To disable crypto condition debugs:
– debug crypto condition reset
Crypto Conditional Debugging
| Fvrf | The name string of a virtual private network (VPN) routing and forwarding (VRF) instance; relevant debug messages will be shown if the current IPSec operation uses this VRF instance as its front-door VRF (FVRF) |
| ivrf | The name string of a VRF instance; relevant debug messages will be shown if the current IPSec operation uses this VRF instance as its inside VRF (IVRF) |
| isakmp profile | The name string of the isakmp profile to be matched against for debugging |
| Local ipv4 | The IP address string of the local IKE endpoint |
| Peer group | A ezvpn group name string; relevant debug messages will be shown if the peer is using this group name as its identity |
| Peer ipv4 | A single IP address; relevant debug messages will be shown if the current IPSec operation is related to the IP address of this peer |
| Peer subnet | A subnet and a subnet mask that specify a range of peer IP addresses; relevant debug messages will be shown if the IP address of the current IPSec peer falls into the specified subnet range |
| Peer hostname | A fully qualified domain name (FQDN) string; relevant debug messages will be shown if the peer is using this string as its identity |
| username | The username string (XAuth username or PKI-aaa username obtained from a certificate) |
Clearing VPN Tunnel
- To clear IKE Phase ( Phase 1)
clear crypto isakmp sa
- To clear IPSEC Phase (Phase2)
clear crypto ipsec sa
Crypto Logging
Two crypto logging enhancements were introduced in recent Cisco IOS images
Hub(config)# crypto logging ?
– ezvpn ezvpn logging enable/disable
– session logging up/down session
– Crypto logging session, introduced in 12.3(14)T, displays tunnel up/down messages:
– %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 40.10.1.1:500 Id: 40.10.1.1
– %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 40.10.1.1:500 Id: 40.10.1.1
– Crypto logging ezvpn, introduced in 12.4(4)T, displays EasyVPN connection messages
– %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 2.2.2.2:500 f_vrf: FVRF1 Id: cisco
– %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Server) Mode=NEM Client_type=CISCO_IOS User= Group=cisco Client_public_addr=2.2.2.2 Server_public_addr=1.1.1.2 f_vrf=FVRF1
– %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 2.2.2.2:500 f_vrf: FVRF1 Id: cisco
– %CRYPTO-6-EZVPN_CONNECTION_UP: (Server) Mode=NEM Client_type=CISCO_IOS User= Group=cisco Client_public_addr=2.2.2.2 Server_public_addr=1.1.1.2 f_vrf=FVRF1