I've modified my lab and reconfigured the Firepower 1010 firewall in order to establish a Site-to-Site IPSec VPN with a Cisco 1901 ISR router.
To re-configure the outside interface (Ethernet1/1), go to Device > System Settings > DHCP Server.
Under Configuration tab > disable (toggle blue switch): Enable Auto Configuration.
This will disable the outside interface (Ethernet1/1) from obtaining DHCP settings from the ISP.
Go to Device > Interfaces > View All Interfaces.
On Ethernet1/1
> under Actions > click Edit (blue pencil icon).
Leave the Interface Name: outside > leave the Mode: Routed > leave the Status: enabled.
Under Type > select Static.
Type IPv4 Address: 200.1.1.2 > Subnet Mask: 30 > click OK.
Skip the settings under IPv6 Address and Advanced tabs.
Click Deployment > Deploy Now.
You also need to create a static default route under Device > Routing > Create the first static route.
Click Create Static Route.
Type a Name: FTD-DEFAULT-ROUTE > leave IPv4 selected (default) > Gateway > Create new Network.
Under Filter > select the newly created Host object.
Under Interface > select outside (Ethernet1/1).
Leave default the Metric:1 > under Networks > select: any-ipv4 Network > click OK > OK.
Click Deployment > Deploy Now.
To configure a Site-to-Site VPN in FTD, go to Device > Site-to-Site VPN > View Configuration.
Click Create Site-to-Site Connection to launch the configuration wizard.
Type a Connection Profile Name: FTD-S2S-VPN > click Next.
Under Local Site > local VPN Access Interface > select: outside (Ethernet1/1).
Under Local Network > click Add (plus icon) > select the object for the inside subnet: Obj-192.168.1.0-24 > click OK.
Under Remote Site > select: Static > type Remote IP Address: 200.1.1.1 (R1 WAN IP address) > under Remote Network > click Add (plus icon) > Create new Network.
Type a Name: R1-REMOTE-LAN > leave Type: Network (default) > type Network: 192.168.2.0/24 > click OK.
Under Remote Network > select the newly created network object: R1-REMOTE-LAN > click OK.
Click
Next (bottom).
IKE
Version 2 is enabled by default but you can't use it (restricted) with the 90-day Evaluation license.
I used IKE Version 1protocols instead.
Below are the IKE Phase 1 and IKE Phase 2 policies configured on the remote router.
Define IKEv1 ISAKMP Phase 1 Policy.
Router(config)#crypto ?
call Configure Crypto Call Admission Control
ctcp Configure cTCP encapsulation
dynamic-map Specify a dynamic crypto map template
engine Enter a crypto engine configurable menu
gdoi Configure GDOI policy
identity Enter a crypto identity list
ikev2 Configure IKEv2 Options
ipsec Configure IPSEC policy
isakmp Configure ISAKMP policy
key Long term key operations
keyring Key ring commands
logging logging messages
map Enter a crypto map
mib Configure Crypto-related MIB Parameters
pki Public Key components
provisioning Secure Device Provisioning
wui Crypto HTTP configuration interfaces
xauth X-Auth parameters
Router(config)#crypto isakmp ?
aggressive-mode Disable ISAKMP aggressive mode
client Set client configuration policy
default ISAKMP default policy
enable Enable ISAKMP
fragmentation IKE Fragmentation enabled if required
identity Set the identity which ISAKMP will use
invalid-spi-recovery Initiate IKE and send Invalid SPI Notify
keepalive Set a keepalive interval for use with IOS peers
key Set pre-shared key for remote peer
nat Set a nat keepalive interval for use with IOS peers
peer Set Peer Policy
policy Set policy for an ISAKMP protection suite
profile Define ISAKMP Profiles
xauth Set Extended Authentication values
Router(config)#crypto isakmp policy ?
<1-10000> Priority of protection suite
Router(config)#crypto isakmp policy 10
Router(config-isakmp)#?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
Router(config-isakmp)#encryption ?
3des Three key triple DES
aes AES - Advanced Encryption Standard.
des DES - Data Encryption Standard (56 bit keys).
Router(config-isakmp)#encryption des
Router(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#hash ?
md5 Message Digest 5
sha Secure Hash Standard
sha256 Secure Hash Standard 2 (256 bit)
sha384 Secure Hash Standard 2 (384 bit)
sha512 Secure Hash Standard 2 (512 bit)
Router(config-isakmp)#hash sha
Router(config-isakmp)#group ?
1 Diffie-Hellman group 1 (768 bit)
14 Diffie-Hellman group 14 (2048 bit)
15 Diffie-Hellman group 15 (3072 bit)
16 Diffie-Hellman group 16 (4096 bit)
19 Diffie-Hellman group 19 (256 bit ecp)
2 Diffie-Hellman group 2 (1024 bit)
20 Diffie-Hellman group 20 (384 bit ecp)
24 Diffie-Hellman group 24 (2048 bit, 256 bit subgroup)
5 Diffie-Hellman group 5 (1536 bit)
Router(config-isakmp)#group 5
Define the Local ISAKMP Crypto Key. The key string should also be the same on the remote FTD device.
Router(config-isakmp)#exit
Router(config)#crypto isakmp ?
aggressive-mode Disable ISAKMP aggressive mode
client Set client configuration policy
default ISAKMP default policy
enable Enable ISAKMP
fragmentation IKE Fragmentation enabled if required
identity Set the identity which ISAKMP will use
invalid-spi-recovery Initiate IKE and send Invalid SPI Notify
keepalive Set a keepalive interval for use with IOS peers
key Set pre-shared key for remote peer
nat Set a nat keepalive interval for use with IOS peers
peer Set Peer Policy
policy Set policy for an ISAKMP protection suite
profile Define ISAKMP Profiles
xauth Set Extended Authentication values
Router(config)#crypto isakmp key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
WORD The UNENCRYPTED (cleartext) user password
Router(config)#crypto isakmp key cisco123 ?
address define shared key with IP address
hostname define shared key with hostname
Router(config)#crypto isakmp key cisco123 address ?
A.B.C.D Peer IP address
ipv6 define shared key with IPv6 address
Router(config)#crypto isakmp key cisco123 address 200.1.1.2
Create a Crypto ACL which will trigger the "interesting" traffic.
Router(config)#ip access-list extended FTD-CRYPTO-ACL
Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
Define the IPSec Transform Set for IKE Phase 2
Router(config)#crypto ipsec transform-set TSET esp-des esp-sha-hmac
Router(cfg-crypto-trans)#
Create a Crypto Map to bind all the IKE Phase 1 and Phase 2 Policy
Router(cfg-crypto-trans)#exit
Router(config)#
Router(config)#crypto map ?
WORD Crypto map tag
ipv6 IPv6 crypto map
Router(config)#crypto map CMAP-FTD ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
gdoi Configure crypto map gdoi features
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
Router(config)#crypto map CMAP-FTD 10 ?
gdoi GDOI
ipsec-isakmp IPSEC w/ISAKMP
ipsec-manual IPSEC w/manual keying
<cr>
Router(config)#crypto map CMAP-FTD 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router(config-crypto-map)#?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
exit Exit from crypto map configuration mode
match Match values.
no Negate a command or set its defaults
qos Quality of Service related commands
reverse-route Reverse Route Injection.
set Set values for encryption/decryption
Router(config-crypto-map)#set ?
identity Identity restriction.
ikev2-profile Specify ikev2 Profile
ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
reverse-route Reverse Route Injection.
security-association Security association parameters
transform-set Specify list of transform sets in priority order
Router(config-crypto-map)#set peer ?
A.B.C.D IP address of peer
WORD Host name of the peer
Router(config-crypto-map)#set peer 200.1.1.2
Router(config-crypto-map)#set transform-set ?
WORD Proposal tag
Router(config-crypto-map)#set transform-set TSET
Router(config-crypto-map)#match ?
address Match address of packets to encrypt.
Router(config-crypto-map)#match address ?
<100-199> IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD Access-list name
Router(config-crypto-map)#match address FTD-CRYPTO-ACL
Apply the Crypto Map on the router's WAN/ISP interface.
Router(config)#interface g0/1
Router(config-if)#crypto ?
ipsec Set IPSec parameters
map Assign a Crypto Map
Router(config-if)#crypto map CMAP-FTD
Router(config-if)#
Sep 19 12:29:43.035: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Router#show run | sec crypto
crypto pki token default removal timeout 0
crypto isakmp policy 10 // DEFAULT ENCRYPTION IS DES AND SHA-1 HASH (NOT SHOWN IN THE CONFIG)
authentication pre-share
group 5
crypto isakmp key cisco123 address 200.1.1.2
crypto ipsec transform-set TSET esp-des esp-sha-hmac
crypto map CMAP-FTD 10 ipsec-isakmp
set peer 200.1.1.2
set transform-set TSET
match address FTD-CRYPTO-ACL
crypto map CMAP-FTD
Enable IKE Version 1 (toggle the blue switch) > under Globally applied > click Edit.
Leave the default IKE v1 Policies > click OK.
The identical IKE Phase 1 policies with the router are: SHA-1 (hash/integrity), DES (encryption) and pre-shared-key (must be the same on both ends).
Click Add (plus icon).
Select the IPSec Proposals (IKE Phase 2): ESP_SHA_HMAC-ESP_DES-TUNNEL.
The identical IKE Phase 2 policies with the router are: ESP-DES (encryption) and ESP-SHA-1 (hash/integrity).
Click OK.
Type the pre-shared key: cisco123
Leave the default Diffie-Hellman Group for Perfect Forward Secrecy (PFS): No Perfect Forward Secrecy (turned off) > click Next.
Review the Summary settings > click Finish.
Click Deployment > Deploy Now.
You can launch the FTD CLI from the Dashboard by clicking the CLI Console icon (top).
Click
Undock into separate window.
You can use the show crypto isakmp sa (IKE Phase 1) and show crypto ipsec sa (IKE Phase 2) which are similar to the ASA commands.
Router#ping 192.168.1.10 source 192.168.2.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.20
Sep 19 13:40:11.227: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 200.1.1.1:500, remote= 200.1.1.2:500,
local_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Sep 19 13:40:11.227: ISAKMP:(0): SA request profile is (NULL)
Sep 19 13:40:11.227: ISAKMP: Created a peer struct for 200..1.1.2, peer port 500
Sep 19 13:40:11.227: ISAKMP: New peer created peer = 0x27EA267C peer_handle = 0x80000002
Sep 19 13:40:11.227: ISAKMP: Locking peer struct 0x27EA267C, refcount 1 for isakmp_initiator
Sep 19 13:40:11.227: ISAKMP: local port 500, remote port 500
Sep 19 13:40:11.227: ISAKMP: set new node 0 to QM_IDLE
Sep 19 13:40:11.227: ISAKMP:(0):insert sa successfully sa = 27EAF0F0
Sep 19 13:40:11.227: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Sep 19 13:40:11.227: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
Sep 19 13:40:11.227: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Sep 19 13:40:11.227: ISAKMP:(0): constructed NAT-T vendor-07 ID
Sep 19 13:40:11.227: ISAKMP:(0): constructed NAT-T vendor-03 ID
Sep 19 13:40:11.227: ISAKMP:(0): constructed NAT-T vendor-02 ID
Sep 19 13:40:11.227: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Sep 19 13:40:11.227: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Sep 19 13:40:11.227: ISAKMP:(0): beginn.ing Main Mode exchange
Sep 19 13:40:11.227: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 19 13:40:11.227: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 19 13:40:11.231: ISAKMP (0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
Sep 19 13:40:11.231: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Sep 19 13:40:11.231: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Sep 19 13:40:11.231: ISAKMP:(0): processing SA payload. message ID = 0
Sep 19 13:40:11.231: ISAKMP:(0): processing vendor id payload
Sep 19 13:40:11.231: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Sep 19 13:40:11.231: ISAKMP (0): vendor ID is NAT-T RFC 3947
Sep 19 13:40:11.231: ISAKMP:(0): processing vendor id payload
Sep 19 13:40:11.231: ISAKMP:(0): processing IKE frag vendor id payload
Sep 19 13:40:11.231: ISAKMP:(0):Support for IKE Fragmentation not enabled
Sep 19 13:40:11.231: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
Sep .19 13:40:11.231: ISAKMP:(0): local preshared key found
Sep 19 13:40:11.231: ISAKMP : Scanning profiles for xauth ...
Sep 19 13:40:11.231: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Sep 19 13:40:11.231: ISAKMP: encryption DES-CBC
Sep 19 13:40:11.231: ISAKMP: hash SHA
Sep 19 13:40:11.231: ISAKMP: default group 5
Sep 19 13:40:11.231: ISAKMP: auth pre-share
Sep 19 13:40:11.231: ISAKMP: life type in seconds
Sep 19 13:40:11.231: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Sep 19 13:40:11.231: ISAKMP:(0):atts are acceptable. Next payload is 0
Sep 19 13:40:11.231: ISAKMP:(0):Acceptable atts:actual life: 0
Sep 19 13:40:11.231: ISAKMP:(0):Acceptable atts:life: 0
Sep 19 13:40:11.231: ISAKMP:(0):Fill atts in sa vpi_length:4
Sep 19 13:40:11.231: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Sep 19 13:40:11.231: ISAKMP:(0):Returning Actual lifetime: 86400
Sep 19 13:40:11.231: ISAKMP:(0)::Started lifetime timer: 86400.
Sep 19 13:40:11.295: IS.AKMP:(0): processing vendor id payload
Sep 19 13:40:11.295: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Sep 19 13:40:11.295: ISAKMP (0): vendor ID is NAT-T RFC 3947
Sep 19 13:40:11.295: ISAKMP:(0): processing vendor id payload
Sep 19 13:40:11.295: ISAKMP:(0): processing IKE frag vendor id payload
Sep 19 13:40:11.295: ISAKMP:(0):Support for IKE Fragmentation not enabled
Sep 19 13:40:11.295: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Sep 19 13:40:11.295: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Sep 19 13:40:11.295: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
Sep 19 13:40:11.295: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 19 13:40:11.295: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Sep 19 13:40:11.295: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Sep 19 13:40:11.299: ISAKMP (0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
Sep 19 13:40:11.299: ISAKMP:(0.
Success rate is 0 percent (0/5)
Router#):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Sep 19 13:40:11.299: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Sep 19 13:40:11.299: ISAKMP:(0): processing KE payload. message ID = 0
Sep 19 13:40:11.379: ISAKMP:(0): processing NONCE payload. message ID = 0
Sep 19 13:40:11.379: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
Sep 19 13:40:11.379: ISAKMP:(1001): processing vendor id payload
Sep 19 13:40:11.379: ISAKMP:(1001): vendor ID is Unity
Sep 19 13:40:11.379: ISAKMP:(1001): processing vendor id payload
Sep 19 13:40:11.379: ISAKMP:(1001): vendor ID seems Unity/DPD but major 194 mismatch
Sep 19 13:40:11.379: ISAKMP:(1001): vendor ID is XAUTH
Sep 19 13:40:11.379: ISAKMP:(1001): processing vendor id payload
Sep 19 13:40:11.379: ISAKMP:(1001): speaking to another IOS box!
Sep 19 13:40:11.379: ISAKMP:(1001): processing vendor id payload
Sep 19 13:40:11.379: ISAKMP:(1001):vendor ID seems Unity/DPD but hash mismatch
Sep 19 13:40:11.379: ISAKMP:received payload type 20
Sep 19 13:40:11.379: ISAKMP (1001): His hash no match - this node outside NAT
Sep 19 13:40:11.379: ISAKMP:received payload type 20
Sep 19 13:40:11.379: ISAKMP (1001): No NAT Found for self or peer
Sep 19 13:40:11.379: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Sep 19 13:40:11.379: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4
Sep 19 13:40:11.379: ISAKMP:(1001):Send initial contact
Sep 19 13:40:11.379: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Sep 19 13:40:11.379: ISAKMP (1001): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 500
length : 12
Sep 19 13:40:11.379: ISAKMP:(1001):Total payload length: 12
Sep 19 13:40:11.379: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Sep 19 13:40:11.379: ISAKMP:(1001):Sending an IKE IPv4 Packet.
Sep 19 13:40:11.379: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Sep 19 13:40:11.379: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5
Sep 19 13:40:11.383: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Sep 19 13:40:11.383: ISAKMP:(1001): processing ID payload. message ID = 0
Sep 19 13:40:11.383: ISAKMP (1001): ID payload
next-payload : 8
type : 1
address : 200.1.1.2
protocol : 17
port : 0
length : 12
Sep 19 13:40:11.383: ISAKMP:(0):: peer matches *none* of the profiles
Sep 19 13:40:11.383: ISAKMP:(1001): processing HASH payload. message ID = 0
Sep 19 13:40:11.383: ISAKMP:received payload type 17
Sep 19 13:40:11.383: ISAKMP:(1001): processing vendor id payload
Sep 19 13:40:11.383: ISAKMP:(1001): vendor ID is DPD
Sep 19 13:40:11.383: ISAKMP:(1001):SA authentication status:
authenticated
Sep 19 13:40:11.383: ISAKMP:(1001):SA has been authenticated with 200.1.1.2
Sep 19 13:40:11.383: ISAKMP: Trying to insert a peer 200.1.1.1/200.1.1.2/500/, and inserted successfully 27EA267C.
Sep 19 13:40:11.383: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Sep 19 13:40:11.383: ISAKMP:(1001):Old State = IKE_I_MM5 New State = IKE_I_MM6
Sep 19 13:40:11.383: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Sep 19 13:40:11.383: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_I_MM6
Sep 19 13:40:11.383: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Sep 19 13:40:11.383: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Sep 19 13:40:11.383: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 2419858072
Sep 19 13:40:11.383: ISAKMP:(1001):QM Initiator gets spi
Sep 19 13:40:11.383: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
Sep 19 13:40:11.383: ISAKMP:(1001):Sending an IKE IPv4 Packet.
Sep 19 13:40:11.383: ISAKMP:(1001):Node 2419858072, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Sep 19 13:40:11.383: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Sep 19 13:40:11.383: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Sep 19 13:40:11.383: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 19 13:40:11.387: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE
Sep 19 13:40:11.387: ISAKMP:(1001): processing HASH payload. message ID = 2419858072
Sep 19 13:40:11.387: ISAKMP:(1001): processing SA payload. message ID = 2419858072
Sep 19 13:40:11.387: ISAKMP:(1001):Checking IPSec proposal 1
Sep 19 13:40:11.387: ISAKMP: transform 1, ESP_DES
Sep 19 13:40:11.387: ISAKMP: attributes in transform:
Sep 19 13:40:11.387: ISAKMP: SA life type in seconds
Sep 19 13:40:11.387: ISAKMP: SA life duration (basic) of 3600
Sep 19 13:40:11.387: ISAKMP: SA life type in kilobytes
Sep 19 13:40:11.387: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Sep 19 13:40:11.387: ISAKMP: encaps is 1 (Tunnel)
Sep 19 13:40:11.387: ISAKMP: authenticator is HMAC-SHA
Sep 19 13:40:11.387: ISAKMP:(1001):atts are acceptable.
Sep 19 13:40:11.387: IPSEC(validate_proposal_request): proposal part #1
Sep 19 13:40:11.387: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 200.1.1.1:0, remote= 200.1.1.2:0,
local_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Sep 19 13:40:11.387: Crypto mapdb : proxy_match
src addr : 192.168.2.0
dst addr : 192.168.1.0
protocol : 0
src port : 0
dst port : 0
Sep 19 13:40:11.387: ISAKMP:(1001): processing NONCE payload. message ID = 2419858072
Sep 19 13:40:11.387: ISAKMP:(1001): processing ID payload. message ID = 2419858072
Sep 19 13:40:11.387: ISAKMP:(1001): processing ID payload. message ID = 2419858072
Sep 19 13:40:11.387: ISAKMP:(1001): Creating IPSec SAs
Sep 19 13:40:11.387: inbound SA from 200.1.1.2 to 200.1.1.1 (f/i) 0/ 0
(proxy 192.168.1.0 to 192.168.2.0)
Sep 19 13:40:11.387: has spi 0x283BAD0 and conn_id 0
Sep 19 13:40:11.391: lifetime of 3600 seconds
Sep 19 13:40:11.391: lifetime of 4608000 kilobytes
Sep 19 13:40:11.391: outbound SA from 200.1.1.1 to 200.1.1.2 (f/i) 0/0
(proxy 192.168.2.0 to 192.168.1.0)
Sep 19 13:40:11.391: has spi 0x14D869CB and conn_id 0
Sep 19 13:40:11.391: lifetime of 3600 seconds
Sep 19 13:40:11.391: lifetime of 4608000 kilobytes
Sep 19 13:40:11.391: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
Sep 19 13:40:11.391: ISAKMP:(1001):Sending an IKE IPv4 Packet.
Sep 19 13:40:11.391: ISAKMP:(1001):deleting node -1875109224 error FALSE reason "No Error"
Sep 19 13:40:11.391: ISAKMP:(1001):Node 2419858072, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Sep 19 13:40:11.391: ISAKMP:(1001):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
Sep 19 13:40:11.391: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Sep 19 13:40:11.391: Crypto mapdb : proxy_match
src addr : 192.168.2.0
dst addr : 192.168.1.0
protocol : 0
src port : 0
dst port : 0
Sep 19 13:40:11.391: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 200.1.1.2
Sep 19 13:40:11.391: IPSEC(policy_db_add_ident): src 192.168.2.0, dest 192.168.1.0, dest_port 0
Sep 19 13:40:11.391: IPSEC(create_sa): sa created,
(sa) sa_dest= 200.1.1.1, sa_proto= 50,
sa_spi= 0x283BAD0(42187472),
sa_trans= esp-des esp-sha-hmac , sa_conn_id= 2001
sa_lifetime(k/sec)= (4578499/3600)
Sep 19 13:40:11.391: IPSEC(create_sa): sa created,
(sa) sa_dest= 200.1.1.2, sa_proto= 50,
sa_spi= 0x14D869CB(349727179),
sa_trans= esp-des esp-sha-hmac , sa_conn_id= 2002
sa_lifetime(k/sec)= (4578499/3600)
Sep 19 13:40:11.391: IPSEC(update_current_outbound_sa): get enable SA peer 200.1.1.2 current outbound sa to SPI 14D869CB
Sep 19 13:40:11.391: IPSEC(update_current_outbound_sa): updated peer 200.1.1.2 current outbound sa to SPI 14D869CB
Sep 19 13:40:36.787: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE
Sep 19 13:40:36.787: ISAKMP: set new node 1936719789 to QM_IDLE
Sep 19 13:40:36.787: ISAKMP:(1001): processing HASH payload. message ID = 1936719789
Sep 19 13:40:36.787: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 1936719789, sa = 0x27EAF0F0
Sep 19 13:40:36.787: ISAKMP:(1001):deleting node 1936719789 error FALSE reason "Informational (in) state 1"
Sep 19 13:40:36.787: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 19 13:40:36.787: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 19 13:40:36.787: ISAKMP:(1001):DPD/R_U_THERE received from peer 200.1.1.2, sequence 0x56945B00
Sep 19 13:40:36.787: ISAKMP: set new node -1133030632 to QM_IDLE
Sep 19 13:40:36.787: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 817338144, message ID = 3161936664
Sep 19 13:40:36.787: ISAKMP:(1001): seq. no 0x56945B00
Sep 19 13:40:36.787: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
Sep 19 13:40:36.787: ISAKMP:(1001):Sending an IKE IPv4 Packet.
Sep 19 13:40:36.787: ISAKMP:(1001):purging node -1133030632
Sep 19 13:40:36.791: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 19 13:40:36.791: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 19 13:40:46.787: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE
Sep 19 13:40:46.787: ISAKMP: set new node -906294456 to QM_IDLE
Sep 19 13:40:46.787: ISAKMP:(1001): processing HASH payload. message ID = 3388672840
Sep 19 13:40:46.787: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 3388672840, sa = 0x27EAF0F0
Sep 19 13:40:46.787: ISAKMP:(1001):deleting node -906294456 error FALSE reason "Informational (in) state 1"
Sep 19 13:40:46.787: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 19 13:40:46.787: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 19 13:40:46.787: ISAKMP:(1001):DPD/R_U_THERE received from peer 200.1.1.2, sequence 0x56945B01
Sep 19 13:40:46.787: ISAKMP: set new node -413392161 to QM_IDLE
Sep 19 13:40:46.787: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 817338144, message ID = 3881575135
Sep 19 13:40:46.787: ISAKMP:(1001): seq. no 0x56945B01
Sep 19 13:40:46.787: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
Sep 19 13:40:46.787: ISAKMP:(1001):Sending an IKE IPv4 Packet.
Sep 19 13:40:46.791: ISAKMP:(1001):purging node -413392161
Sep 19 13:40:46.791: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 19 13:40:46.791: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 19 13:40:56.787: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE
Sep 19 13:40:56.787: ISAKMP: set new node -930427889 to QM_IDLE
Sep 19 13:40:56.787: ISAKMP:(1001): processing HASH payload. message ID = 3364539407
Sep 19 13:40:56.787: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 3364539407, sa = 0x27EAF0F0
Sep 19 13:40:56.787: ISAKMP:(1001):deleting node -930427889 error FALSE reason "Informational (in) state 1"
Sep 19 13:40:56.787: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 19 13:40:56.787: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 19 13:40:56.787: ISAKMP:(1001):DPD/R_U_THERE received from peer 200.1.1.2, sequence 0x56945B02
Sep 19 13:40:56.787: ISAKMP: set new node -2117361168 to QM_IDLE
Sep 19 13:40:56.787: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 817338144, message ID = 2177606128
Sep 19 13:40:56.791: ISAKMP:(1001): seq. no 0x56945B02
Sep 19 13:40:56.791: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
Sep 19 13:40:56.791: ISAKMP:(1001):Sending an IKE IPv4 Packet.
Sep 19 13:40:56.791: ISAKMP:(1001):purging node -2117361168
Sep 19 13:40:56.791: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 19 13:40:56.791: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 19 13:41:01.391: ISAKMP:(1001):purging node -1875109224
Sep 19 13:41:06.787: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE
Sep 19 13:41:06.787: ISAKMP: set new node -131896221 to QM_IDLE
Sep 19 13:41:06.787: ISAKMP:(1001): processing HASH payload. message ID = 4163071075
Sep 19 13:41:06.787: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 4163071075, sa = 0x27EAF0F0
Sep 19 13:41:06.787: ISAKMP:(1001):deleting node -131896221 error FALSE reason "Informational (in) state 1"
Sep 19 13:41:06.787: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 19 13:41:06.787: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 19 13:41:06.791: ISAKMP:(1001):DPD/R_U_THERE received from peer 200.1.1.2, sequence 0x56945B03
Sep 19 13:41:06.791: ISAKMP: set new node 1784003598 to QM_IDLE
Sep 19 13:41:06.791: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 817338144, message ID = 1784003598
Sep 19 13:41:06.791: ISAKMP:(1001): seq. no 0x56945B03
Sep 19 13:41:06.791: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
Sep 19 13:41:06.791: ISAKMP:(1001):Sending an IKE IPv4 Packet.
Sep 19 13:41:06.791: ISAKMP:(1001):purging node 1784003598
Sep 19 13:41:06.791: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 19 13:41:06.791: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 19 13:41:16.787: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE
Sep 19 13:41:16.787: ISAKMP: set new node 986600194 to QM_IDLE
Sep 19 13:41:16.787: ISAKMP:(1001): processing HASH payload. message ID = 986600194
Sep 19 13:41:16.787: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 986600194, sa = 0x27EAF0F0
Sep 19 13:41:16.787: ISAKMP:(1001):deleting node 986600194 error FALSE reason "Informational (in) state 1"
Sep 19 13:41:16.787: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 19 13:41:16.787: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 19 13:41:16.791: ISAKMP:(1001):DPD/R_U_THERE received from peer 200.1.1.2, sequence 0x56945B04
Sep 19 13:41:16.791: ISAKMP: set new node -260990127 to QM_IDLE
Sep 19 13:41:16.791: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 817338144, message ID = 4033977169
Sep 19 13:41:16.791: ISAKMP:(1001): seq. no 0x56945B04
Sep 19 13:41:16.791: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
Sep 19 13:41:16.791: ISAKMP:(1001):Sending an IKE IPv4 Packet.
Sep 19 13:41:16.791: ISAKMP:(1001):purging node -260990127
Sep 19 13:41:16.791: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 19 13:41:16.791: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
200.1.1.2 200.1.1.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
Router#show crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: CMAP-FTD, local addr 200.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 200.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 200.1.1.1, remote crypto endpt.: 200.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x14D869CB(349727179)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x283BAD0(42187472)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: CMAP-FTD
sa timing: remaining key lifetime (k/sec): (4578499/3486)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x14D869CB(349727179)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: CMAP-FTD
sa timing: remaining key lifetime (k/sec): (4578498/3486)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
> show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 200.1.1.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
> show crypto ipsec sa
interface: outside
Crypto map tag: s2sCryptoMap, seq num: 1, local addr: 200.1.1.2
access-list |s2sAcl|929ad92c-fa84-11ea-b7a9-b3d23c8619eb extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 200.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 200.1.1.2/0, remote crypto endpt.: 200.1.1.1/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 0283BAD0
current inbound spi : 14D869CB
inbound esp sas:
spi: 0x14D869CB (349727179)
SA State: active
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1, crypto-map: s2sCryptoMap
sa timing: remaining key lifetime (kB/sec): (4373999/3196)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x0283BAD0 (42187472)
SA State: active
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1, crypto-map: s2sCryptoMap
sa timing: remaining key lifetime (kB/sec): (4374000/3196)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
I simulated a web server on the Cisco 1901 router using a Loopback IP address: 192.168.2.20/24 (for the LAN). I connect from my laptop 192.168.1.10 to the web server 192.168.2.20 and Telnet to R1 using the said Loopback IP address.