Friday, January 1, 2021

Cisco Firepower 1010 Site-to-Site VPN

I've modified my lab and reconfigured the Firepower 1010 firewall in order to establish a Site-to-Site IPSec VPN with a Cisco 1901 ISR router.

To re-configure the outside interface (Ethernet1/1), go to Device > System Settings > DHCP Server.

Under Configuration tab > disable (toggle blue switch): Enable Auto Configuration.

 

This will disable the outside interface (Ethernet1/1) from obtaining DHCP settings from the ISP.

 


Go to Device > Interfaces > View All Interfaces.

On Ethernet1/1 > under Actions > click Edit (blue pencil icon).

Leave the Interface Name: outside > leave the Mode: Routed > leave the Status: enabled.

Under Type > select Static.

Type IPv4 Address: 200.1.1.2 > Subnet Mask: 30 > click OK.

Skip the settings under IPv6 Address and Advanced tabs.


 Click Deployment > Deploy Now.

You also need to create a static default route under Device > Routing > Create the first static route.

Click Create Static Route.

Type a Name: FTD-DEFAULT-ROUTE > leave IPv4 selected (default) > Gateway > Create new Network.


Under Filter > select the newly created Host object.

Under Interface > select outside (Ethernet1/1).

Leave default the Metric:1 > under Networks > select: any-ipv4 Network > click OK > OK.

Click Deployment > Deploy Now.

To configure a Site-to-Site VPN in FTD, go to Device > Site-to-Site VPN > View Configuration.

Click Create Site-to-Site Connection to launch the configuration wizard.

Type a Connection Profile Name: FTD-S2S-VPN > click Next.

Under Local Site > local VPN Access Interface > select: outside (Ethernet1/1).

Under Local Network > click Add (plus icon) > select the object for the inside subnet: Obj-192.168.1.0-24 > click OK.

Under Remote Site > select: Static > type Remote IP Address: 200.1.1.1 (R1 WAN IP address) > under Remote Network > click Add (plus icon) > Create new Network.

Type a Name: R1-REMOTE-LAN > leave Type: Network (default) > type Network: 192.168.2.0/24 > click OK.

Under Remote Network > select the newly created network object: R1-REMOTE-LAN > click OK.

Click Next (bottom).

IKE Version 2 is enabled by default but you can't use it (restricted) with the 90-day Evaluation license.

I used IKE Version 1protocols instead.


Below are the IKE Phase 1 and IKE Phase 2 policies configured on the remote router.


Define IKEv1 ISAKMP Phase 1 Policy.

 

Router(config)#crypto ?    

  call          Configure Crypto Call Admission Control

  ctcp          Configure cTCP encapsulation

  dynamic-map   Specify a dynamic crypto map template

  engine        Enter a crypto engine configurable menu

  gdoi          Configure GDOI policy

  identity      Enter a crypto identity list

  ikev2         Configure IKEv2 Options

  ipsec         Configure IPSEC policy

  isakmp        Configure ISAKMP policy

  key           Long term key operations

  keyring       Key ring commands

  logging       logging messages

  map           Enter a crypto map

  mib           Configure Crypto-related MIB Parameters

  pki           Public Key components

  provisioning  Secure Device Provisioning

  wui           Crypto HTTP configuration interfaces

  xauth         X-Auth parameters

 

Router(config)#crypto isakmp ?

  aggressive-mode       Disable ISAKMP aggressive mode

  client                Set client configuration policy

  default               ISAKMP default policy

  enable                Enable ISAKMP

  fragmentation         IKE Fragmentation enabled if required

  identity              Set the identity which ISAKMP will use

  invalid-spi-recovery  Initiate IKE and send Invalid SPI Notify

  keepalive             Set a keepalive interval for use with IOS peers

  key                   Set pre-shared key for remote peer

  nat                   Set a nat  keepalive interval for use with IOS peers

  peer                  Set Peer Policy

  policy                Set policy for an ISAKMP protection suite

  profile               Define ISAKMP Profiles

  xauth                 Set Extended Authentication values

 

Router(config)#crypto isakmp policy ?

  <1-10000>  Priority of protection suite

 

Router(config)#crypto isakmp policy 10

Router(config-isakmp)#?

ISAKMP commands:

  authentication  Set authentication method for protection suite

  default         Set a command to its defaults

  encryption      Set encryption algorithm for protection suite

  exit            Exit from ISAKMP protection suite configuration mode

  group           Set the Diffie-Hellman group

  hash            Set hash algorithm for protection suite

  lifetime        Set lifetime for ISAKMP security association

  no              Negate a command or set its defaults

 

Router(config-isakmp)#encryption ?

  3des  Three key triple DES

  aes   AES - Advanced Encryption Standard.

  des   DES - Data Encryption Standard (56 bit keys).

 

Router(config-isakmp)#encryption des

Router(config-isakmp)#authentication ?

  pre-share  Pre-Shared Key

  rsa-encr   Rivest-Shamir-Adleman Encryption

  rsa-sig    Rivest-Shamir-Adleman Signature

 

Router(config-isakmp)#authentication pre-share

Router(config-isakmp)#hash ?

  md5     Message Digest 5

  sha     Secure Hash Standard

  sha256  Secure Hash Standard 2 (256 bit)

  sha384  Secure Hash Standard 2 (384 bit)

  sha512  Secure Hash Standard 2 (512 bit)

 

Router(config-isakmp)#hash sha

Router(config-isakmp)#group ?

  1   Diffie-Hellman group 1 (768 bit)

  14  Diffie-Hellman group 14 (2048 bit)

  15  Diffie-Hellman group 15 (3072 bit)

  16  Diffie-Hellman group 16 (4096 bit)

  19  Diffie-Hellman group 19 (256 bit ecp)

  2   Diffie-Hellman group 2 (1024 bit)

  20  Diffie-Hellman group 20 (384 bit ecp)

  24  Diffie-Hellman group 24 (2048 bit, 256 bit subgroup)

  5   Diffie-Hellman group 5 (1536 bit)

 

Router(config-isakmp)#group 5

 

 

Define the Local ISAKMP Crypto Key. The key string should also be the same on the remote FTD device.

 

Router(config-isakmp)#exit             

Router(config)#crypto isakmp ?

  aggressive-mode       Disable ISAKMP aggressive mode

  client                Set client configuration policy

  default               ISAKMP default policy

  enable                Enable ISAKMP

  fragmentation         IKE Fragmentation enabled if required

  identity              Set the identity which ISAKMP will use

  invalid-spi-recovery  Initiate IKE and send Invalid SPI Notify

  keepalive             Set a keepalive interval for use with IOS peers

  key                   Set pre-shared key for remote peer

  nat                   Set a nat  keepalive interval for use with IOS peers

  peer                  Set Peer Policy

  policy                Set policy for an ISAKMP protection suite

  profile               Define ISAKMP Profiles

  xauth                 Set Extended Authentication values

 

Router(config)#crypto isakmp key ?

  0     Specifies an UNENCRYPTED password will follow

  6     Specifies an ENCRYPTED password will follow

  WORD  The UNENCRYPTED (cleartext) user password

 

Router(config)#crypto isakmp key cisco123 ?

  address   define shared key with IP address

  hostname  define shared key with hostname

 

Router(config)#crypto isakmp key cisco123 address ?

  A.B.C.D  Peer IP address

  ipv6     define shared key with IPv6 address

 

Router(config)#crypto isakmp key cisco123 address 200.1.1.2

 

 

Create a Crypto ACL which will trigger the "interesting" traffic.

 

Router(config)#ip access-list extended FTD-CRYPTO-ACL

Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

 

 

Define the IPSec Transform Set for IKE Phase 2

 

Router(config)#crypto ipsec transform-set TSET esp-des esp-sha-hmac

Router(cfg-crypto-trans)#

 

 

Create a Crypto Map to bind all the IKE Phase 1 and Phase 2 Policy

 

Router(cfg-crypto-trans)#exit

Router(config)#

Router(config)#crypto map ?

  WORD  Crypto map tag

  ipv6  IPv6 crypto map

 

Router(config)#crypto map CMAP-FTD ?

  <1-65535>       Sequence to insert into crypto map entry

  client          Specify client configuration settings

  gdoi            Configure crypto map gdoi features

  isakmp          Specify isakmp configuration settings

  isakmp-profile  Specify isakmp profile to use

  local-address   Interface to use for local address for this crypto map

  redundancy      High availability options for this map

 

Router(config)#crypto map CMAP-FTD 10 ?

  gdoi          GDOI

  ipsec-isakmp  IPSEC w/ISAKMP

  ipsec-manual  IPSEC w/manual keying

  <cr>

 

Router(config)#crypto map CMAP-FTD 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

        and a valid access list have been configured.

Router(config-crypto-map)#?

Crypto Map configuration commands:

  default        Set a command to its defaults

  description    Description of the crypto map statement policy

  dialer         Dialer related commands

  exit           Exit from crypto map configuration mode

  match          Match values.

  no             Negate a command or set its defaults

  qos            Quality of Service related commands

  reverse-route  Reverse Route Injection.

  set            Set values for encryption/decryption

 

Router(config-crypto-map)#set ?

  identity              Identity restriction.

  ikev2-profile         Specify ikev2 Profile

  ip                    Interface Internet Protocol config commands

  isakmp-profile        Specify isakmp Profile

  nat                   Set NAT translation

  peer                  Allowed Encryption/Decryption peer.

  pfs                   Specify pfs settings

  reverse-route         Reverse Route Injection.

  security-association  Security association parameters

  transform-set         Specify list of transform sets in priority order

 

Router(config-crypto-map)#set peer ?

  A.B.C.D  IP address of peer

  WORD     Host name of the peer

 

Router(config-crypto-map)#set peer 200.1.1.2

Router(config-crypto-map)#set transform-set ?

  WORD  Proposal tag

 

Router(config-crypto-map)#set transform-set TSET

Router(config-crypto-map)#match ?

  address  Match address of packets to encrypt.

 

Router(config-crypto-map)#match address ?

  <100-199>    IP access-list number

  <2000-2699>  IP access-list number (expanded range)

  WORD         Access-list name

 

Router(config-crypto-map)#match address FTD-CRYPTO-ACL

 

 

Apply the Crypto Map on the router's WAN/ISP interface.

 

Router(config)#interface g0/1

Router(config-if)#crypto ?

  ipsec  Set IPSec parameters

  map    Assign a Crypto Map

 

Router(config-if)#crypto map CMAP-FTD

Router(config-if)#

Sep 19 12:29:43.035: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

 

 

Router#show run | sec crypto

crypto pki token default removal timeout 0

crypto isakmp policy 10   // DEFAULT ENCRYPTION IS DES AND SHA-1 HASH (NOT SHOWN IN THE CONFIG)

 authentication pre-share

 group 5

crypto isakmp key cisco123 address 200.1.1.2

crypto ipsec transform-set TSET esp-des esp-sha-hmac

crypto map CMAP-FTD 10 ipsec-isakmp

 set peer 200.1.1.2

 set transform-set TSET

 match address FTD-CRYPTO-ACL

 crypto map CMAP-FTD


Enable IKE Version 1 (toggle the blue switch) > under Globally applied > click Edit.

Leave the default IKE v1 Policies > click OK.

The identical IKE Phase 1 policies with the router are: SHA-1 (hash/integrity), DES (encryption) and pre-shared-key (must be the same on both ends).

Click Add (plus icon).

Select the IPSec Proposals (IKE Phase 2): ESP_SHA_HMAC-ESP_DES-TUNNEL. 

The identical IKE Phase 2 policies with the router are: ESP-DES (encryption) and ESP-SHA-1 (hash/integrity).

Click OK.

Type the pre-shared key: cisco123

 

Leave the default Diffie-Hellman Group for Perfect Forward Secrecy (PFS): No Perfect Forward Secrecy (turned off) > click Next.

 

Review the Summary settings > click Finish.



Click Deployment > Deploy Now.



You can launch the FTD CLI from the Dashboard by clicking the CLI Console icon (top).

Click Undock into separate window.


You can use the show crypto isakmp sa (IKE Phase 1) and show crypto ipsec sa (IKE Phase 2) which are similar to the ASA commands.


Router#ping 192.168.1.10 source 192.168.2.20

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.20

 

Sep 19 13:40:11.227: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 200.1.1.1:500, remote= 200.1.1.2:500,

    local_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Sep 19 13:40:11.227: ISAKMP:(0): SA request profile is (NULL)

Sep 19 13:40:11.227: ISAKMP: Created a peer struct for 200..1.1.2, peer port 500

Sep 19 13:40:11.227: ISAKMP: New peer created peer = 0x27EA267C peer_handle = 0x80000002

Sep 19 13:40:11.227: ISAKMP: Locking peer struct 0x27EA267C, refcount 1 for isakmp_initiator

Sep 19 13:40:11.227: ISAKMP: local port 500, remote port 500

Sep 19 13:40:11.227: ISAKMP: set new node 0 to QM_IDLE

Sep 19 13:40:11.227: ISAKMP:(0):insert sa successfully sa = 27EAF0F0

Sep 19 13:40:11.227: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Sep 19 13:40:11.227: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2

Sep 19 13:40:11.227: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Sep 19 13:40:11.227: ISAKMP:(0): constructed NAT-T vendor-07 ID

Sep 19 13:40:11.227: ISAKMP:(0): constructed NAT-T vendor-03 ID

Sep 19 13:40:11.227: ISAKMP:(0): constructed NAT-T vendor-02 ID

Sep 19 13:40:11.227: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Sep 19 13:40:11.227: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Sep 19 13:40:11.227: ISAKMP:(0): beginn.ing Main Mode exchange

Sep 19 13:40:11.227: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE

Sep 19 13:40:11.227: ISAKMP:(0):Sending an IKE IPv4 Packet.

Sep 19 13:40:11.231: ISAKMP (0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE

Sep 19 13:40:11.231: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Sep 19 13:40:11.231: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Sep 19 13:40:11.231: ISAKMP:(0): processing SA payload. message ID = 0

Sep 19 13:40:11.231: ISAKMP:(0): processing vendor id payload

Sep 19 13:40:11.231: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

Sep 19 13:40:11.231: ISAKMP (0): vendor ID is NAT-T RFC 3947

Sep 19 13:40:11.231: ISAKMP:(0): processing vendor id payload

Sep 19 13:40:11.231: ISAKMP:(0): processing IKE frag vendor id payload

Sep 19 13:40:11.231: ISAKMP:(0):Support for IKE Fragmentation not enabled

Sep 19 13:40:11.231: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2

Sep .19 13:40:11.231: ISAKMP:(0): local preshared key found

Sep 19 13:40:11.231: ISAKMP : Scanning profiles for xauth ...

Sep 19 13:40:11.231: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

Sep 19 13:40:11.231: ISAKMP:      encryption DES-CBC

Sep 19 13:40:11.231: ISAKMP:      hash SHA

Sep 19 13:40:11.231: ISAKMP:      default group 5

Sep 19 13:40:11.231: ISAKMP:      auth pre-share

Sep 19 13:40:11.231: ISAKMP:      life type in seconds

Sep 19 13:40:11.231: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

Sep 19 13:40:11.231: ISAKMP:(0):atts are acceptable. Next payload is 0

Sep 19 13:40:11.231: ISAKMP:(0):Acceptable atts:actual life: 0

Sep 19 13:40:11.231: ISAKMP:(0):Acceptable atts:life: 0

Sep 19 13:40:11.231: ISAKMP:(0):Fill atts in sa vpi_length:4

Sep 19 13:40:11.231: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

Sep 19 13:40:11.231: ISAKMP:(0):Returning Actual lifetime: 86400

Sep 19 13:40:11.231: ISAKMP:(0)::Started lifetime timer: 86400.

Sep 19 13:40:11.295: IS.AKMP:(0): processing vendor id payload

Sep 19 13:40:11.295: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

Sep 19 13:40:11.295: ISAKMP (0): vendor ID is NAT-T RFC 3947

Sep 19 13:40:11.295: ISAKMP:(0): processing vendor id payload

Sep 19 13:40:11.295: ISAKMP:(0): processing IKE frag vendor id payload

Sep 19 13:40:11.295: ISAKMP:(0):Support for IKE Fragmentation not enabled

Sep 19 13:40:11.295: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Sep 19 13:40:11.295: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

Sep 19 13:40:11.295: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP

Sep 19 13:40:11.295: ISAKMP:(0):Sending an IKE IPv4 Packet.

Sep 19 13:40:11.295: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Sep 19 13:40:11.295: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

Sep 19 13:40:11.299: ISAKMP (0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP

Sep 19 13:40:11.299: ISAKMP:(0.

Success rate is 0 percent (0/5)

Router#):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Sep 19 13:40:11.299: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

Sep 19 13:40:11.299: ISAKMP:(0): processing KE payload. message ID = 0

Sep 19 13:40:11.379: ISAKMP:(0): processing NONCE payload. message ID = 0

Sep 19 13:40:11.379: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2

Sep 19 13:40:11.379: ISAKMP:(1001): processing vendor id payload

Sep 19 13:40:11.379: ISAKMP:(1001): vendor ID is Unity

Sep 19 13:40:11.379: ISAKMP:(1001): processing vendor id payload

Sep 19 13:40:11.379: ISAKMP:(1001): vendor ID seems Unity/DPD but major 194 mismatch

Sep 19 13:40:11.379: ISAKMP:(1001): vendor ID is XAUTH

Sep 19 13:40:11.379: ISAKMP:(1001): processing vendor id payload

Sep 19 13:40:11.379: ISAKMP:(1001): speaking to another IOS box!

Sep 19 13:40:11.379: ISAKMP:(1001): processing vendor id payload

Sep 19 13:40:11.379: ISAKMP:(1001):vendor ID seems Unity/DPD but hash mismatch

Sep 19 13:40:11.379: ISAKMP:received payload type 20

Sep 19 13:40:11.379: ISAKMP (1001): His hash no match - this node outside NAT

Sep 19 13:40:11.379: ISAKMP:received payload type 20

Sep 19 13:40:11.379: ISAKMP (1001): No NAT Found for self or peer

Sep 19 13:40:11.379: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Sep 19 13:40:11.379: ISAKMP:(1001):Old State = IKE_I_MM4  New State = IKE_I_MM4

Sep 19 13:40:11.379: ISAKMP:(1001):Send initial contact

Sep 19 13:40:11.379: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

Sep 19 13:40:11.379: ISAKMP (1001): ID payload

        next-payload : 8

        type         : 1

        address      : 200.1.1.1

        protocol     : 17

        port         : 500

        length       : 12

Sep 19 13:40:11.379: ISAKMP:(1001):Total payload length: 12

Sep 19 13:40:11.379: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH

Sep 19 13:40:11.379: ISAKMP:(1001):Sending an IKE IPv4 Packet.

Sep 19 13:40:11.379: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Sep 19 13:40:11.379: ISAKMP:(1001):Old State = IKE_I_MM4  New State = IKE_I_MM5

Sep 19 13:40:11.383: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH

Sep 19 13:40:11.383: ISAKMP:(1001): processing ID payload. message ID = 0

Sep 19 13:40:11.383: ISAKMP (1001): ID payload

        next-payload : 8

        type         : 1

        address      : 200.1.1.2

        protocol     : 17

        port         : 0

        length       : 12

Sep 19 13:40:11.383: ISAKMP:(0):: peer matches *none* of the profiles

Sep 19 13:40:11.383: ISAKMP:(1001): processing HASH payload. message ID = 0

Sep 19 13:40:11.383: ISAKMP:received payload type 17

Sep 19 13:40:11.383: ISAKMP:(1001): processing vendor id payload

Sep 19 13:40:11.383: ISAKMP:(1001): vendor ID is DPD

Sep 19 13:40:11.383: ISAKMP:(1001):SA authentication status:

        authenticated

Sep 19 13:40:11.383: ISAKMP:(1001):SA has been authenticated with 200.1.1.2

Sep 19 13:40:11.383: ISAKMP: Trying to insert a peer 200.1.1.1/200.1.1.2/500/,  and inserted successfully 27EA267C.

Sep 19 13:40:11.383: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Sep 19 13:40:11.383: ISAKMP:(1001):Old State = IKE_I_MM5  New State = IKE_I_MM6 

Sep 19 13:40:11.383: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Sep 19 13:40:11.383: ISAKMP:(1001):Old State = IKE_I_MM6  New State = IKE_I_MM6

Sep 19 13:40:11.383: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Sep 19 13:40:11.383: ISAKMP:(1001):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Sep 19 13:40:11.383: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 2419858072

Sep 19 13:40:11.383: ISAKMP:(1001):QM Initiator gets spi

Sep 19 13:40:11.383: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE

Sep 19 13:40:11.383: ISAKMP:(1001):Sending an IKE IPv4 Packet.

Sep 19 13:40:11.383: ISAKMP:(1001):Node 2419858072, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

Sep 19 13:40:11.383: ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

Sep 19 13:40:11.383: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Sep 19 13:40:11.383: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 19 13:40:11.387: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE

Sep 19 13:40:11.387: ISAKMP:(1001): processing HASH payload. message ID = 2419858072

Sep 19 13:40:11.387: ISAKMP:(1001): processing SA payload. message ID = 2419858072

Sep 19 13:40:11.387: ISAKMP:(1001):Checking IPSec proposal 1

Sep 19 13:40:11.387: ISAKMP: transform 1, ESP_DES

Sep 19 13:40:11.387: ISAKMP:   attributes in transform:

Sep 19 13:40:11.387: ISAKMP:      SA life type in seconds

Sep 19 13:40:11.387: ISAKMP:      SA life duration (basic) of 3600

Sep 19 13:40:11.387: ISAKMP:      SA life type in kilobytes

Sep 19 13:40:11.387: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

Sep 19 13:40:11.387: ISAKMP:      encaps is 1 (Tunnel)

Sep 19 13:40:11.387: ISAKMP:      authenticator is HMAC-SHA

Sep 19 13:40:11.387: ISAKMP:(1001):atts are acceptable.

Sep 19 13:40:11.387: IPSEC(validate_proposal_request): proposal part #1

Sep 19 13:40:11.387: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 200.1.1.1:0, remote= 200.1.1.2:0,

    local_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Sep 19 13:40:11.387: Crypto mapdb : proxy_match

        src addr     : 192.168.2.0

        dst addr     : 192.168.1.0

        protocol     : 0

        src port     : 0

        dst port     : 0

Sep 19 13:40:11.387: ISAKMP:(1001): processing NONCE payload. message ID = 2419858072

Sep 19 13:40:11.387: ISAKMP:(1001): processing ID payload. message ID = 2419858072

Sep 19 13:40:11.387: ISAKMP:(1001): processing ID payload. message ID = 2419858072

Sep 19 13:40:11.387: ISAKMP:(1001): Creating IPSec SAs

Sep 19 13:40:11.387:         inbound SA from 200.1.1.2 to 200.1.1.1 (f/i)  0/ 0

        (proxy 192.168.1.0 to 192.168.2.0)

Sep 19 13:40:11.387:         has spi 0x283BAD0 and conn_id 0

Sep 19 13:40:11.391:         lifetime of 3600 seconds

Sep 19 13:40:11.391:         lifetime of 4608000 kilobytes

Sep 19 13:40:11.391:         outbound SA from 200.1.1.1 to 200.1.1.2 (f/i) 0/0

        (proxy 192.168.2.0 to 192.168.1.0)

Sep 19 13:40:11.391:         has spi  0x14D869CB and conn_id 0

Sep 19 13:40:11.391:         lifetime of 3600 seconds

Sep 19 13:40:11.391:         lifetime of 4608000 kilobytes

Sep 19 13:40:11.391: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE

Sep 19 13:40:11.391: ISAKMP:(1001):Sending an IKE IPv4 Packet.

Sep 19 13:40:11.391: ISAKMP:(1001):deleting node -1875109224 error FALSE reason "No Error"

Sep 19 13:40:11.391: ISAKMP:(1001):Node 2419858072, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Sep 19 13:40:11.391: ISAKMP:(1001):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE

Sep 19 13:40:11.391: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Sep 19 13:40:11.391: Crypto mapdb : proxy_match

        src addr     : 192.168.2.0

        dst addr     : 192.168.1.0

        protocol     : 0

        src port     : 0

        dst port     : 0

Sep 19 13:40:11.391: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 200.1.1.2

Sep 19 13:40:11.391: IPSEC(policy_db_add_ident): src 192.168.2.0, dest 192.168.1.0, dest_port 0

Sep 19 13:40:11.391: IPSEC(create_sa): sa created,

  (sa) sa_dest= 200.1.1.1, sa_proto= 50,

    sa_spi= 0x283BAD0(42187472),

    sa_trans= esp-des esp-sha-hmac , sa_conn_id= 2001

    sa_lifetime(k/sec)= (4578499/3600)

Sep 19 13:40:11.391: IPSEC(create_sa): sa created,

  (sa) sa_dest= 200.1.1.2, sa_proto= 50,

    sa_spi= 0x14D869CB(349727179),

    sa_trans= esp-des esp-sha-hmac , sa_conn_id= 2002

    sa_lifetime(k/sec)= (4578499/3600)

Sep 19 13:40:11.391: IPSEC(update_current_outbound_sa): get enable SA peer 200.1.1.2 current outbound sa to SPI 14D869CB

Sep 19 13:40:11.391: IPSEC(update_current_outbound_sa): updated peer 200.1.1.2 current outbound sa to SPI 14D869CB

Sep 19 13:40:36.787: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE

Sep 19 13:40:36.787: ISAKMP: set new node 1936719789 to QM_IDLE

Sep 19 13:40:36.787: ISAKMP:(1001): processing HASH payload. message ID = 1936719789

Sep 19 13:40:36.787: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = 1936719789, sa = 0x27EAF0F0

Sep 19 13:40:36.787: ISAKMP:(1001):deleting node 1936719789 error FALSE reason "Informational (in) state 1"

Sep 19 13:40:36.787: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Sep 19 13:40:36.787: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 19 13:40:36.787: ISAKMP:(1001):DPD/R_U_THERE received from peer 200.1.1.2, sequence 0x56945B00

Sep 19 13:40:36.787: ISAKMP: set new node -1133030632 to QM_IDLE

Sep 19 13:40:36.787: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 817338144, message ID = 3161936664

Sep 19 13:40:36.787: ISAKMP:(1001): seq. no 0x56945B00

Sep 19 13:40:36.787: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE

Sep 19 13:40:36.787: ISAKMP:(1001):Sending an IKE IPv4 Packet.

Sep 19 13:40:36.787: ISAKMP:(1001):purging node -1133030632

Sep 19 13:40:36.791: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

Sep 19 13:40:36.791: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 19 13:40:46.787: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE

Sep 19 13:40:46.787: ISAKMP: set new node -906294456 to QM_IDLE

Sep 19 13:40:46.787: ISAKMP:(1001): processing HASH payload. message ID = 3388672840

Sep 19 13:40:46.787: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = 3388672840, sa = 0x27EAF0F0

Sep 19 13:40:46.787: ISAKMP:(1001):deleting node -906294456 error FALSE reason "Informational (in) state 1"

Sep 19 13:40:46.787: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Sep 19 13:40:46.787: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 19 13:40:46.787: ISAKMP:(1001):DPD/R_U_THERE received from peer 200.1.1.2, sequence 0x56945B01

Sep 19 13:40:46.787: ISAKMP: set new node -413392161 to QM_IDLE

Sep 19 13:40:46.787: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 817338144, message ID = 3881575135

Sep 19 13:40:46.787: ISAKMP:(1001): seq. no 0x56945B01

Sep 19 13:40:46.787: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE

Sep 19 13:40:46.787: ISAKMP:(1001):Sending an IKE IPv4 Packet.

Sep 19 13:40:46.791: ISAKMP:(1001):purging node -413392161

Sep 19 13:40:46.791: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

Sep 19 13:40:46.791: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 19 13:40:56.787: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE

Sep 19 13:40:56.787: ISAKMP: set new node -930427889 to QM_IDLE

Sep 19 13:40:56.787: ISAKMP:(1001): processing HASH payload. message ID = 3364539407

Sep 19 13:40:56.787: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = 3364539407, sa = 0x27EAF0F0

Sep 19 13:40:56.787: ISAKMP:(1001):deleting node -930427889 error FALSE reason "Informational (in) state 1"

Sep 19 13:40:56.787: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Sep 19 13:40:56.787: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 19 13:40:56.787: ISAKMP:(1001):DPD/R_U_THERE received from peer 200.1.1.2, sequence 0x56945B02

Sep 19 13:40:56.787: ISAKMP: set new node -2117361168 to QM_IDLE

Sep 19 13:40:56.787: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 817338144, message ID = 2177606128

Sep 19 13:40:56.791: ISAKMP:(1001): seq. no 0x56945B02

Sep 19 13:40:56.791: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE

Sep 19 13:40:56.791: ISAKMP:(1001):Sending an IKE IPv4 Packet.

Sep 19 13:40:56.791: ISAKMP:(1001):purging node -2117361168

Sep 19 13:40:56.791: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

Sep 19 13:40:56.791: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 19 13:41:01.391: ISAKMP:(1001):purging node -1875109224

Sep 19 13:41:06.787: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE

Sep 19 13:41:06.787: ISAKMP: set new node -131896221 to QM_IDLE

Sep 19 13:41:06.787: ISAKMP:(1001): processing HASH payload. message ID = 4163071075

Sep 19 13:41:06.787: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = 4163071075, sa = 0x27EAF0F0

Sep 19 13:41:06.787: ISAKMP:(1001):deleting node -131896221 error FALSE reason "Informational (in) state 1"

Sep 19 13:41:06.787: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Sep 19 13:41:06.787: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 19 13:41:06.791: ISAKMP:(1001):DPD/R_U_THERE received from peer 200.1.1.2, sequence 0x56945B03

Sep 19 13:41:06.791: ISAKMP: set new node 1784003598 to QM_IDLE

Sep 19 13:41:06.791: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 817338144, message ID = 1784003598

Sep 19 13:41:06.791: ISAKMP:(1001): seq. no 0x56945B03

Sep 19 13:41:06.791: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE

Sep 19 13:41:06.791: ISAKMP:(1001):Sending an IKE IPv4 Packet.

Sep 19 13:41:06.791: ISAKMP:(1001):purging node 1784003598

Sep 19 13:41:06.791: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

Sep 19 13:41:06.791: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 19 13:41:16.787: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE

Sep 19 13:41:16.787: ISAKMP: set new node 986600194 to QM_IDLE

Sep 19 13:41:16.787: ISAKMP:(1001): processing HASH payload. message ID = 986600194

Sep 19 13:41:16.787: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = 986600194, sa = 0x27EAF0F0

Sep 19 13:41:16.787: ISAKMP:(1001):deleting node 986600194 error FALSE reason "Informational (in) state 1"

Sep 19 13:41:16.787: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Sep 19 13:41:16.787: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 19 13:41:16.791: ISAKMP:(1001):DPD/R_U_THERE received from peer 200.1.1.2, sequence 0x56945B04

Sep 19 13:41:16.791: ISAKMP: set new node -260990127 to QM_IDLE

Sep 19 13:41:16.791: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 817338144, message ID = 4033977169

Sep 19 13:41:16.791: ISAKMP:(1001): seq. no 0x56945B04

Sep 19 13:41:16.791: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE

Sep 19 13:41:16.791: ISAKMP:(1001):Sending an IKE IPv4 Packet.

Sep 19 13:41:16.791: ISAKMP:(1001):purging node -260990127

Sep 19 13:41:16.791: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

Sep 19 13:41:16.791: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

 

 

Router#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

200.1.1.2       200.1.1.1       QM_IDLE           1001 ACTIVE

 

IPv6 Crypto ISAKMP SA

 

 

Router#show crypto ipsec sa

 

interface: GigabitEthernet0/1

    Crypto map tag: CMAP-FTD, local addr 200.1.1.1

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   current_peer 200.1.1.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0

 

     local crypto endpt.: 200.1.1.1, remote crypto endpt.: 200.1.1.2

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1

     current outbound spi: 0x14D869CB(349727179)

     PFS (Y/N): N, DH group: none

 

     inbound esp sas:

      spi: 0x283BAD0(42187472)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: CMAP-FTD

        sa timing: remaining key lifetime (k/sec): (4578499/3486)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

      spi: 0x14D869CB(349727179)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: CMAP-FTD

        sa timing: remaining key lifetime (k/sec): (4578498/3486)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     outbound ah sas:

 

     outbound pcp sas:

 

 

 

> show crypto isakmp sa

 

IKEv1 SAs:

 

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

 

1   IKE Peer: 200.1.1.1

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

 

There are no IKEv2 SAs

 

 

> show crypto ipsec sa

interface: outside

    Crypto map tag: s2sCryptoMap, seq num: 1, local addr: 200.1.1.2

      access-list |s2sAcl|929ad92c-fa84-11ea-b7a9-b3d23c8619eb extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

      current_peer: 200.1.1.1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 200.1.1.2/0, remote crypto endpt.: 200.1.1.1/0

      path mtu 1500, ipsec overhead 58(36), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: 0283BAD0

      current inbound spi : 14D869CB

 

    inbound esp sas:

      spi: 0x14D869CB (349727179)

         SA State: active

         transform: esp-des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv1, }

         slot: 0, conn_id: 1, crypto-map: s2sCryptoMap

         sa timing: remaining key lifetime (kB/sec): (4373999/3196)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x0000001F

    outbound esp sas:

      spi: 0x0283BAD0 (42187472)

         SA State: active

         transform: esp-des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv1, }

         slot: 0, conn_id: 1, crypto-map: s2sCryptoMap

         sa timing: remaining key lifetime (kB/sec): (4374000/3196)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

 

 

I simulated a web server on the Cisco 1901 router using a Loopback IP address: 192.168.2.20/24 (for the LAN). I connect from my laptop 192.168.1.10 to the web server 192.168.2.20 and Telnet to R1 using the said Loopback IP address.