My Cybersecurity Journal: Cisco Firepower 1010 Site-to-Site VPN

I've modified my lab and reconfigured the Firepower 1010 firewall in order to establish a Site-to-Site IPSec VPN with a Cisco 1901 ISR router.

To re-configure the outside interface (Ethernet1/1), go to Device > System Settings > DHCP Server.

Under Configuration tab > disable (toggle blue switch): Enable Auto Configuration.

This will disable the outside interface (Ethernet1/1) from obtaining DHCP settings from the ISP.

Go to Device > Interfaces > View All Interfaces.

On Ethernet1/1 > under Actions > click Edit (blue pencil icon).

Leave the Interface Name: outside > leave the Mode: Routed > leave the Status: enabled.

Under Type > select Static.

Type IPv4 Address: 200.1.1.2 > Subnet Mask: 30 > click OK.

Skip the settings under IPv6 Address and Advanced tabs.

Click Deployment > Deploy Now.

You also need to create a static default route under Device > Routing > Create the first static route.

Click Create Static Route.

Type a Name: FTD-DEFAULT-ROUTE > leave IPv4 selected (default) > Gateway > Create new Network.

Under Filter > select the newly created Host object.

Under Interface > select outside (Ethernet1/1).

Leave default the Metric:1 > under Networks > select: any-ipv4 Network > click OK > OK.

Click Deployment > Deploy Now.

To configure a Site-to-Site VPN in FTD, go to Device > Site-to-Site VPN > View Configuration.

Click Create Site-to-Site Connection to launch the configuration wizard.

Type a Connection Profile Name: FTD-S2S-VPN > click Next.

Under Local Site > local VPN Access Interface > select: outside (Ethernet1/1).

Under Local Network > click Add (plus icon) > select the object for the inside subnet: Obj-192.168.1.0-24 > click OK.

Under Remote Site > select: Static > type Remote IP Address: 200.1.1.1 (R1 WAN IP address) > under Remote Network > click Add (plus icon) > Create new Network.

Type a Name: R1-REMOTE-LAN > leave Type: Network (default) > type Network: 192.168.2.0/24 > click OK.

Under Remote Network > select the newly created network object: R1-REMOTE-LAN > click OK.

Click Next (bottom).

IKE Version 2 is enabled by default but you can't use it (restricted) with the 90-day Evaluation license.

I used IKE Version 1protocols instead.

Below are the IKE Phase 1 and IKE Phase 2 policies configured on the remote router.

Define IKEv1 ISAKMP Phase 1 Policy.

Router(config)#crypto ?

call Configure Crypto Call Admission Control

ctcp Configure cTCP encapsulation

dynamic-map Specify a dynamic crypto map template

engine Enter a crypto engine configurable menu

gdoi Configure GDOI policy

identity Enter a crypto identity list

ikev2 Configure IKEv2 Options

ipsec Configure IPSEC policy

isakmp Configure ISAKMP policy

key Long term key operations

keyring Key ring commands

logging logging messages

map Enter a crypto map

mib Configure Crypto-related MIB Parameters

pki Public Key components

provisioning Secure Device Provisioning

wui Crypto HTTP configuration interfaces

xauth X-Auth parameters

Router(config)#crypto isakmp ?

aggressive-mode Disable ISAKMP aggressive mode

client Set client configuration policy

default ISAKMP default policy

enable Enable ISAKMP

fragmentation IKE Fragmentation enabled if required

identity Set the identity which ISAKMP will use

invalid-spi-recovery Initiate IKE and send Invalid SPI Notify

keepalive Set a keepalive interval for use with IOS peers

key Set pre-shared key for remote peer

nat Set a nat keepalive interval for use with IOS peers

peer Set Peer Policy

policy Set policy for an ISAKMP protection suite

profile Define ISAKMP Profiles

xauth Set Extended Authentication values

Router(config)#crypto isakmp policy ?

<1-10000> Priority of protection suite

Router(config)#crypto isakmp policy 10

Router(config-isakmp)#?

ISAKMP commands:

authentication Set authentication method for protection suite

default Set a command to its defaults

encryption Set encryption algorithm for protection suite

exit Exit from ISAKMP protection suite configuration mode

group Set the Diffie-Hellman group

hash Set hash algorithm for protection suite

lifetime Set lifetime for ISAKMP security association

no Negate a command or set its defaults

Router(config-isakmp)#encryption ?

3des Three key triple DES

aes AES - Advanced Encryption Standard.

des DES - Data Encryption Standard (56 bit keys).

Router(config-isakmp)#encryption des

Router(config-isakmp)#authentication ?

pre-share Pre-Shared Key

rsa-encr Rivest-Shamir-Adleman Encryption

rsa-sig Rivest-Shamir-Adleman Signature

Router(config-isakmp)#authentication pre-share

Router(config-isakmp)#hash ?

md5 Message Digest 5

sha Secure Hash Standard

sha256 Secure Hash Standard 2 (256 bit)

sha384 Secure Hash Standard 2 (384 bit)

sha512 Secure Hash Standard 2 (512 bit)

Router(config-isakmp)#hash sha

Router(config-isakmp)#group ?

1 Diffie-Hellman group 1 (768 bit)

14 Diffie-Hellman group 14 (2048 bit)

15 Diffie-Hellman group 15 (3072 bit)

16 Diffie-Hellman group 16 (4096 bit)

19 Diffie-Hellman group 19 (256 bit ecp)

2 Diffie-Hellman group 2 (1024 bit)

20 Diffie-Hellman group 20 (384 bit ecp)

24 Diffie-Hellman group 24 (2048 bit, 256 bit subgroup)

5 Diffie-Hellman group 5 (1536 bit)

Router(config-isakmp)#group 5

Define the Local ISAKMP Crypto Key. The key string should also be the same on the remote FTD device.

Router(config-isakmp)#exit

Router(config)#crypto isakmp ?

aggressive-mode Disable ISAKMP aggressive mode

client Set client configuration policy

default ISAKMP default policy

enable Enable ISAKMP

fragmentation IKE Fragmentation enabled if required

identity Set the identity which ISAKMP will use

invalid-spi-recovery Initiate IKE and send Invalid SPI Notify

keepalive Set a keepalive interval for use with IOS peers

key Set pre-shared key for remote peer

nat Set a nat keepalive interval for use with IOS peers

peer Set Peer Policy

policy Set policy for an ISAKMP protection suite

profile Define ISAKMP Profiles

xauth Set Extended Authentication values

Router(config)#crypto isakmp key ?

0 Specifies an UNENCRYPTED password will follow

6 Specifies an ENCRYPTED password will follow

WORD The UNENCRYPTED (cleartext) user password

Router(config)#crypto isakmp key cisco123 ?

address define shared key with IP address

hostname define shared key with hostname

Router(config)#crypto isakmp key cisco123 address ?

A.B.C.D Peer IP address

ipv6 define shared key with IPv6 address

Router(config)#crypto isakmp key cisco123 address 200.1.1.2

Create a Crypto ACL which will trigger the "interesting" traffic.

Router(config)#ip access-list extended FTD-CRYPTO-ACL

Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Define the IPSec Transform Set for IKE Phase 2

Router(config)#crypto ipsec transform-set TSET esp-des esp-sha-hmac

Router(cfg-crypto-trans)#

Create a Crypto Map to bind all the IKE Phase 1 and Phase 2 Policy

Router(cfg-crypto-trans)#exit

Router(config)#

Router(config)#crypto map ?

WORD Crypto map tag

ipv6 IPv6 crypto map

Router(config)#crypto map CMAP-FTD ?

<1-65535> Sequence to insert into crypto map entry

client Specify client configuration settings

gdoi Configure crypto map gdoi features

isakmp Specify isakmp configuration settings

isakmp-profile Specify isakmp profile to use

local-address Interface to use for local address for this crypto map

redundancy High availability options for this map

Router(config)#crypto map CMAP-FTD 10 ?

gdoi GDOI

ipsec-isakmp IPSEC w/ISAKMP

ipsec-manual IPSEC w/manual keying

<cr>

Router(config)#crypto map CMAP-FTD 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

Router(config-crypto-map)#?

Crypto Map configuration commands:

default Set a command to its defaults

description Description of the crypto map statement policy

dialer Dialer related commands

exit Exit from crypto map configuration mode

match Match values.

no Negate a command or set its defaults

qos Quality of Service related commands

reverse-route Reverse Route Injection.

set Set values for encryption/decryption

Router(config-crypto-map)#set ?

identity Identity restriction.

ikev2-profile Specify ikev2 Profile

ip Interface Internet Protocol config commands

isakmp-profile Specify isakmp Profile

nat Set NAT translation

peer Allowed Encryption/Decryption peer.

pfs Specify pfs settings

reverse-route Reverse Route Injection.

security-association Security association parameters

transform-set Specify list of transform sets in priority order

Router(config-crypto-map)#set peer ?

A.B.C.D IP address of peer

WORD Host name of the peer

Router(config-crypto-map)#set peer 200.1.1.2

Router(config-crypto-map)#set transform-set ?

WORD Proposal tag

Router(config-crypto-map)#set transform-set TSET

Router(config-crypto-map)#match ?

address Match address of packets to encrypt.

Router(config-crypto-map)#match address ?

<100-199> IP access-list number

<2000-2699> IP access-list number (expanded range)

WORD Access-list name

Router(config-crypto-map)#match address FTD-CRYPTO-ACL

Apply the Crypto Map on the router's WAN/ISP interface.

Router(config)#interface g0/1

Router(config-if)#crypto ?

ipsec Set IPSec parameters

map Assign a Crypto Map

Router(config-if)#crypto map CMAP-FTD

Router(config-if)#

Sep 19 12:29:43.035: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Router#show run | sec crypto

crypto pki token default removal timeout 0

crypto isakmp policy 10 // DEFAULT ENCRYPTION IS DES AND SHA-1 HASH (NOT SHOWN IN THE CONFIG)

authentication pre-share

group 5

crypto isakmp key cisco123 address 200.1.1.2

crypto ipsec transform-set TSET esp-des esp-sha-hmac

crypto map CMAP-FTD 10 ipsec-isakmp

set peer 200.1.1.2

set transform-set TSET

match address FTD-CRYPTO-ACL

crypto map CMAP-FTD

Enable IKE Version 1 (toggle the blue switch) > under Globally applied > click Edit.

Leave the default IKE v1 Policies > click OK.

The identical IKE Phase 1 policies with the router are: SHA-1 (hash/integrity), DES (encryption) and pre-shared-key (must be the same on both ends).

Click Add (plus icon).

Select the IPSec Proposals (IKE Phase 2): ESP_SHA_HMAC-ESP_DES-TUNNEL.

The identical IKE Phase 2 policies with the router are: ESP-DES (encryption) and ESP-SHA-1 (hash/integrity).

Click OK.

Type the pre-shared key: cisco123

Leave the default Diffie-Hellman Group for Perfect Forward Secrecy (PFS): No Perfect Forward Secrecy (turned off) > click Next.

Review the Summary settings > click Finish.

Click Deployment > Deploy Now.

You can launch the FTD CLI from the Dashboard by clicking the CLI Console icon (top).

Click Undock into separate window.

You can use the show crypto isakmp sa (IKE Phase 1) and show crypto ipsec sa (IKE Phase 2) which are similar to the ASA commands.

Router#ping 192.168.1.10 source 192.168.2.20

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.20

Sep 19 13:40:11.227: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 200.1.1.1:500, remote= 200.1.1.2:500,

local_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-sha-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Sep 19 13:40:11.227: ISAKMP:(0): SA request profile is (NULL)

Sep 19 13:40:11.227: ISAKMP: Created a peer struct for 200..1.1.2, peer port 500

Sep 19 13:40:11.227: ISAKMP: New peer created peer = 0x27EA267C peer_handle = 0x80000002

Sep 19 13:40:11.227: ISAKMP: Locking peer struct 0x27EA267C, refcount 1 for isakmp_initiator

Sep 19 13:40:11.227: ISAKMP: local port 500, remote port 500

Sep 19 13:40:11.227: ISAKMP: set new node 0 to QM_IDLE

Sep 19 13:40:11.227: ISAKMP:(0):insert sa successfully sa = 27EAF0F0

Sep 19 13:40:11.227: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Sep 19 13:40:11.227: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2

Sep 19 13:40:11.227: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Sep 19 13:40:11.227: ISAKMP:(0): constructed NAT-T vendor-07 ID

Sep 19 13:40:11.227: ISAKMP:(0): constructed NAT-T vendor-03 ID

Sep 19 13:40:11.227: ISAKMP:(0): constructed NAT-T vendor-02 ID

Sep 19 13:40:11.227: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Sep 19 13:40:11.227: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

Sep 19 13:40:11.227: ISAKMP:(0): beginn.ing Main Mode exchange

Sep 19 13:40:11.227: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE

Sep 19 13:40:11.227: ISAKMP:(0):Sending an IKE IPv4 Packet.

Sep 19 13:40:11.231: ISAKMP (0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE

Sep 19 13:40:11.231: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Sep 19 13:40:11.231: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

Sep 19 13:40:11.231: ISAKMP:(0): processing SA payload. message ID = 0

Sep 19 13:40:11.231: ISAKMP:(0): processing vendor id payload

Sep 19 13:40:11.231: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

Sep 19 13:40:11.231: ISAKMP (0): vendor ID is NAT-T RFC 3947

Sep 19 13:40:11.231: ISAKMP:(0): processing vendor id payload

Sep 19 13:40:11.231: ISAKMP:(0): processing IKE frag vendor id payload

Sep 19 13:40:11.231: ISAKMP:(0):Support for IKE Fragmentation not enabled

Sep 19 13:40:11.231: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2

Sep .19 13:40:11.231: ISAKMP:(0): local preshared key found

Sep 19 13:40:11.231: ISAKMP : Scanning profiles for xauth ...

Sep 19 13:40:11.231: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

Sep 19 13:40:11.231: ISAKMP: encryption DES-CBC

Sep 19 13:40:11.231: ISAKMP: hash SHA

Sep 19 13:40:11.231: ISAKMP: default group 5

Sep 19 13:40:11.231: ISAKMP: auth pre-share

Sep 19 13:40:11.231: ISAKMP: life type in seconds

Sep 19 13:40:11.231: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

Sep 19 13:40:11.231: ISAKMP:(0):atts are acceptable. Next payload is 0

Sep 19 13:40:11.231: ISAKMP:(0):Acceptable atts:actual life: 0

Sep 19 13:40:11.231: ISAKMP:(0):Acceptable atts:life: 0

Sep 19 13:40:11.231: ISAKMP:(0):Fill atts in sa vpi_length:4

Sep 19 13:40:11.231: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

Sep 19 13:40:11.231: ISAKMP:(0):Returning Actual lifetime: 86400

Sep 19 13:40:11.231: ISAKMP:(0)::Started lifetime timer: 86400.

Sep 19 13:40:11.295: IS.AKMP:(0): processing vendor id payload

Sep 19 13:40:11.295: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

Sep 19 13:40:11.295: ISAKMP (0): vendor ID is NAT-T RFC 3947

Sep 19 13:40:11.295: ISAKMP:(0): processing vendor id payload

Sep 19 13:40:11.295: ISAKMP:(0): processing IKE frag vendor id payload

Sep 19 13:40:11.295: ISAKMP:(0):Support for IKE Fragmentation not enabled

Sep 19 13:40:11.295: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Sep 19 13:40:11.295: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

Sep 19 13:40:11.295: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP

Sep 19 13:40:11.295: ISAKMP:(0):Sending an IKE IPv4 Packet.

Sep 19 13:40:11.295: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Sep 19 13:40:11.295: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

Sep 19 13:40:11.299: ISAKMP (0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP

Sep 19 13:40:11.299: ISAKMP:(0.

Success rate is 0 percent (0/5)

Router#):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Sep 19 13:40:11.299: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

Sep 19 13:40:11.299: ISAKMP:(0): processing KE payload. message ID = 0

Sep 19 13:40:11.379: ISAKMP:(0): processing NONCE payload. message ID = 0

Sep 19 13:40:11.379: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2

Sep 19 13:40:11.379: ISAKMP:(1001): processing vendor id payload

Sep 19 13:40:11.379: ISAKMP:(1001): vendor ID is Unity

Sep 19 13:40:11.379: ISAKMP:(1001): processing vendor id payload

Sep 19 13:40:11.379: ISAKMP:(1001): vendor ID seems Unity/DPD but major 194 mismatch

Sep 19 13:40:11.379: ISAKMP:(1001): vendor ID is XAUTH

Sep 19 13:40:11.379: ISAKMP:(1001): processing vendor id payload

Sep 19 13:40:11.379: ISAKMP:(1001): speaking to another IOS box!

Sep 19 13:40:11.379: ISAKMP:(1001): processing vendor id payload

Sep 19 13:40:11.379: ISAKMP:(1001):vendor ID seems Unity/DPD but hash mismatch

Sep 19 13:40:11.379: ISAKMP:received payload type 20

Sep 19 13:40:11.379: ISAKMP (1001): His hash no match - this node outside NAT

Sep 19 13:40:11.379: ISAKMP:received payload type 20

Sep 19 13:40:11.379: ISAKMP (1001): No NAT Found for self or peer

Sep 19 13:40:11.379: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Sep 19 13:40:11.379: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4

Sep 19 13:40:11.379: ISAKMP:(1001):Send initial contact

Sep 19 13:40:11.379: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

Sep 19 13:40:11.379: ISAKMP (1001): ID payload

next-payload : 8

type : 1

address : 200.1.1.1

protocol : 17

port : 500

length : 12

Sep 19 13:40:11.379: ISAKMP:(1001):Total payload length: 12

Sep 19 13:40:11.379: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH

Sep 19 13:40:11.379: ISAKMP:(1001):Sending an IKE IPv4 Packet.

Sep 19 13:40:11.379: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Sep 19 13:40:11.379: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5

Sep 19 13:40:11.383: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH

Sep 19 13:40:11.383: ISAKMP:(1001): processing ID payload. message ID = 0

Sep 19 13:40:11.383: ISAKMP (1001): ID payload

next-payload : 8

type : 1

address : 200.1.1.2

protocol : 17

port : 0

length : 12

Sep 19 13:40:11.383: ISAKMP:(0):: peer matches *none* of the profiles

Sep 19 13:40:11.383: ISAKMP:(1001): processing HASH payload. message ID = 0

Sep 19 13:40:11.383: ISAKMP:received payload type 17

Sep 19 13:40:11.383: ISAKMP:(1001): processing vendor id payload

Sep 19 13:40:11.383: ISAKMP:(1001): vendor ID is DPD

Sep 19 13:40:11.383: ISAKMP:(1001):SA authentication status:

authenticated

Sep 19 13:40:11.383: ISAKMP:(1001):SA has been authenticated with 200.1.1.2

Sep 19 13:40:11.383: ISAKMP: Trying to insert a peer 200.1.1.1/200.1.1.2/500/, and inserted successfully 27EA267C.

Sep 19 13:40:11.383: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Sep 19 13:40:11.383: ISAKMP:(1001):Old State = IKE_I_MM5 New State = IKE_I_MM6

Sep 19 13:40:11.383: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Sep 19 13:40:11.383: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_I_MM6

Sep 19 13:40:11.383: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Sep 19 13:40:11.383: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

Sep 19 13:40:11.383: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 2419858072

Sep 19 13:40:11.383: ISAKMP:(1001):QM Initiator gets spi

Sep 19 13:40:11.383: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE

Sep 19 13:40:11.383: ISAKMP:(1001):Sending an IKE IPv4 Packet.

Sep 19 13:40:11.383: ISAKMP:(1001):Node 2419858072, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

Sep 19 13:40:11.383: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

Sep 19 13:40:11.383: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Sep 19 13:40:11.383: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Sep 19 13:40:11.387: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE

Sep 19 13:40:11.387: ISAKMP:(1001): processing HASH payload. message ID = 2419858072

Sep 19 13:40:11.387: ISAKMP:(1001): processing SA payload. message ID = 2419858072

Sep 19 13:40:11.387: ISAKMP:(1001):Checking IPSec proposal 1

Sep 19 13:40:11.387: ISAKMP: transform 1, ESP_DES

Sep 19 13:40:11.387: ISAKMP: attributes in transform:

Sep 19 13:40:11.387: ISAKMP: SA life type in seconds

Sep 19 13:40:11.387: ISAKMP: SA life duration (basic) of 3600

Sep 19 13:40:11.387: ISAKMP: SA life type in kilobytes

Sep 19 13:40:11.387: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

Sep 19 13:40:11.387: ISAKMP: encaps is 1 (Tunnel)

Sep 19 13:40:11.387: ISAKMP: authenticator is HMAC-SHA

Sep 19 13:40:11.387: ISAKMP:(1001):atts are acceptable.

Sep 19 13:40:11.387: IPSEC(validate_proposal_request): proposal part #1

Sep 19 13:40:11.387: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 200.1.1.1:0, remote= 200.1.1.2:0,

local_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= NONE (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Sep 19 13:40:11.387: Crypto mapdb : proxy_match

src addr : 192.168.2.0

dst addr : 192.168.1.0

protocol : 0

src port : 0

dst port : 0

Sep 19 13:40:11.387: ISAKMP:(1001): processing NONCE payload. message ID = 2419858072

Sep 19 13:40:11.387: ISAKMP:(1001): processing ID payload. message ID = 2419858072

Sep 19 13:40:11.387: ISAKMP:(1001): Creating IPSec SAs

Sep 19 13:40:11.387: inbound SA from 200.1.1.2 to 200.1.1.1 (f/i) 0/ 0

(proxy 192.168.1.0 to 192.168.2.0)

Sep 19 13:40:11.387: has spi 0x283BAD0 and conn_id 0

Sep 19 13:40:11.391: lifetime of 3600 seconds

Sep 19 13:40:11.391: lifetime of 4608000 kilobytes

Sep 19 13:40:11.391: outbound SA from 200.1.1.1 to 200.1.1.2 (f/i) 0/0

(proxy 192.168.2.0 to 192.168.1.0)

Sep 19 13:40:11.391: has spi 0x14D869CB and conn_id 0

Sep 19 13:40:11.391: lifetime of 3600 seconds

Sep 19 13:40:11.391: lifetime of 4608000 kilobytes

Sep 19 13:40:11.391: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE

Sep 19 13:40:11.391: ISAKMP:(1001):Sending an IKE IPv4 Packet.

Sep 19 13:40:11.391: ISAKMP:(1001):deleting node -1875109224 error FALSE reason "No Error"

Sep 19 13:40:11.391: ISAKMP:(1001):Node 2419858072, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Sep 19 13:40:11.391: ISAKMP:(1001):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE

Sep 19 13:40:11.391: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Sep 19 13:40:11.391: Crypto mapdb : proxy_match

src addr : 192.168.2.0

dst addr : 192.168.1.0

protocol : 0

src port : 0

dst port : 0

Sep 19 13:40:11.391: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 200.1.1.2

Sep 19 13:40:11.391: IPSEC(policy_db_add_ident): src 192.168.2.0, dest 192.168.1.0, dest_port 0

Sep 19 13:40:11.391: IPSEC(create_sa): sa created,

(sa) sa_dest= 200.1.1.1, sa_proto= 50,

sa_spi= 0x283BAD0(42187472),

sa_trans= esp-des esp-sha-hmac , sa_conn_id= 2001

sa_lifetime(k/sec)= (4578499/3600)

Sep 19 13:40:11.391: IPSEC(create_sa): sa created,

(sa) sa_dest= 200.1.1.2, sa_proto= 50,

sa_spi= 0x14D869CB(349727179),

sa_trans= esp-des esp-sha-hmac , sa_conn_id= 2002

sa_lifetime(k/sec)= (4578499/3600)

Sep 19 13:40:11.391: IPSEC(update_current_outbound_sa): get enable SA peer 200.1.1.2 current outbound sa to SPI 14D869CB

Sep 19 13:40:11.391: IPSEC(update_current_outbound_sa): updated peer 200.1.1.2 current outbound sa to SPI 14D869CB

Sep 19 13:40:36.787: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE

Sep 19 13:40:36.787: ISAKMP: set new node 1936719789 to QM_IDLE

Sep 19 13:40:36.787: ISAKMP:(1001): processing HASH payload. message ID = 1936719789

Sep 19 13:40:36.787: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1

spi 0, message ID = 1936719789, sa = 0x27EAF0F0

Sep 19 13:40:36.787: ISAKMP:(1001):deleting node 1936719789 error FALSE reason "Informational (in) state 1"

Sep 19 13:40:36.787: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Sep 19 13:40:36.787: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Sep 19 13:40:36.787: ISAKMP:(1001):DPD/R_U_THERE received from peer 200.1.1.2, sequence 0x56945B00

Sep 19 13:40:36.787: ISAKMP: set new node -1133030632 to QM_IDLE

Sep 19 13:40:36.787: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

spi 817338144, message ID = 3161936664

Sep 19 13:40:36.787: ISAKMP:(1001): seq. no 0x56945B00

Sep 19 13:40:36.787: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE

Sep 19 13:40:36.787: ISAKMP:(1001):Sending an IKE IPv4 Packet.

Sep 19 13:40:36.787: ISAKMP:(1001):purging node -1133030632

Sep 19 13:40:36.791: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

Sep 19 13:40:36.791: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Sep 19 13:40:46.787: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE

Sep 19 13:40:46.787: ISAKMP: set new node -906294456 to QM_IDLE

Sep 19 13:40:46.787: ISAKMP:(1001): processing HASH payload. message ID = 3388672840

Sep 19 13:40:46.787: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1

spi 0, message ID = 3388672840, sa = 0x27EAF0F0

Sep 19 13:40:46.787: ISAKMP:(1001):deleting node -906294456 error FALSE reason "Informational (in) state 1"

Sep 19 13:40:46.787: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Sep 19 13:40:46.787: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Sep 19 13:40:46.787: ISAKMP:(1001):DPD/R_U_THERE received from peer 200.1.1.2, sequence 0x56945B01

Sep 19 13:40:46.787: ISAKMP: set new node -413392161 to QM_IDLE

Sep 19 13:40:46.787: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

spi 817338144, message ID = 3881575135

Sep 19 13:40:46.787: ISAKMP:(1001): seq. no 0x56945B01

Sep 19 13:40:46.787: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE

Sep 19 13:40:46.787: ISAKMP:(1001):Sending an IKE IPv4 Packet.

Sep 19 13:40:46.791: ISAKMP:(1001):purging node -413392161

Sep 19 13:40:46.791: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

Sep 19 13:40:46.791: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Sep 19 13:40:56.787: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE

Sep 19 13:40:56.787: ISAKMP: set new node -930427889 to QM_IDLE

Sep 19 13:40:56.787: ISAKMP:(1001): processing HASH payload. message ID = 3364539407

Sep 19 13:40:56.787: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1

spi 0, message ID = 3364539407, sa = 0x27EAF0F0

Sep 19 13:40:56.787: ISAKMP:(1001):deleting node -930427889 error FALSE reason "Informational (in) state 1"

Sep 19 13:40:56.787: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Sep 19 13:40:56.787: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Sep 19 13:40:56.787: ISAKMP:(1001):DPD/R_U_THERE received from peer 200.1.1.2, sequence 0x56945B02

Sep 19 13:40:56.787: ISAKMP: set new node -2117361168 to QM_IDLE

Sep 19 13:40:56.787: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

spi 817338144, message ID = 2177606128

Sep 19 13:40:56.791: ISAKMP:(1001): seq. no 0x56945B02

Sep 19 13:40:56.791: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE

Sep 19 13:40:56.791: ISAKMP:(1001):Sending an IKE IPv4 Packet.

Sep 19 13:40:56.791: ISAKMP:(1001):purging node -2117361168

Sep 19 13:40:56.791: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

Sep 19 13:40:56.791: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Sep 19 13:41:01.391: ISAKMP:(1001):purging node -1875109224

Sep 19 13:41:06.787: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE

Sep 19 13:41:06.787: ISAKMP: set new node -131896221 to QM_IDLE

Sep 19 13:41:06.787: ISAKMP:(1001): processing HASH payload. message ID = 4163071075

Sep 19 13:41:06.787: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1

spi 0, message ID = 4163071075, sa = 0x27EAF0F0

Sep 19 13:41:06.787: ISAKMP:(1001):deleting node -131896221 error FALSE reason "Informational (in) state 1"

Sep 19 13:41:06.787: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Sep 19 13:41:06.787: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Sep 19 13:41:06.791: ISAKMP:(1001):DPD/R_U_THERE received from peer 200.1.1.2, sequence 0x56945B03

Sep 19 13:41:06.791: ISAKMP: set new node 1784003598 to QM_IDLE

Sep 19 13:41:06.791: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

spi 817338144, message ID = 1784003598

Sep 19 13:41:06.791: ISAKMP:(1001): seq. no 0x56945B03

Sep 19 13:41:06.791: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE

Sep 19 13:41:06.791: ISAKMP:(1001):Sending an IKE IPv4 Packet.

Sep 19 13:41:06.791: ISAKMP:(1001):purging node 1784003598

Sep 19 13:41:06.791: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

Sep 19 13:41:06.791: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Sep 19 13:41:16.787: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE

Sep 19 13:41:16.787: ISAKMP: set new node 986600194 to QM_IDLE

Sep 19 13:41:16.787: ISAKMP:(1001): processing HASH payload. message ID = 986600194

Sep 19 13:41:16.787: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1

spi 0, message ID = 986600194, sa = 0x27EAF0F0

Sep 19 13:41:16.787: ISAKMP:(1001):deleting node 986600194 error FALSE reason "Informational (in) state 1"

Sep 19 13:41:16.787: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Sep 19 13:41:16.787: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Sep 19 13:41:16.791: ISAKMP:(1001):DPD/R_U_THERE received from peer 200.1.1.2, sequence 0x56945B04

Sep 19 13:41:16.791: ISAKMP: set new node -260990127 to QM_IDLE

Sep 19 13:41:16.791: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

spi 817338144, message ID = 4033977169

Sep 19 13:41:16.791: ISAKMP:(1001): seq. no 0x56945B04

Sep 19 13:41:16.791: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE

Sep 19 13:41:16.791: ISAKMP:(1001):Sending an IKE IPv4 Packet.

Sep 19 13:41:16.791: ISAKMP:(1001):purging node -260990127

Sep 19 13:41:16.791: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

Sep 19 13:41:16.791: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Router#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

200.1.1.2 200.1.1.1 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

Router#show crypto ipsec sa

interface: GigabitEthernet0/1

Crypto map tag: CMAP-FTD, local addr 200.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer 200.1.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 200.1.1.1, remote crypto endpt.: 200.1.1.2

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1

current outbound spi: 0x14D869CB(349727179)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x283BAD0(42187472)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: CMAP-FTD

sa timing: remaining key lifetime (k/sec): (4578499/3486)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x14D869CB(349727179)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: CMAP-FTD

sa timing: remaining key lifetime (k/sec): (4578498/3486)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

> show crypto isakmp sa

IKEv1 SAs:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 200.1.1.1

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs

> show crypto ipsec sa

interface: outside

Crypto map tag: s2sCryptoMap, seq num: 1, local addr: 200.1.1.2

access-list |s2sAcl|929ad92c-fa84-11ea-b7a9-b3d23c8619eb extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

current_peer: 200.1.1.1

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 200.1.1.2/0, remote crypto endpt.: 200.1.1.1/0

path mtu 1500, ipsec overhead 58(36), media mtu 1500

PMTU time remaining (sec): 0, DF policy: copy-df

ICMP error validation: disabled, TFC packets: disabled

current outbound spi: 0283BAD0

current inbound spi : 14D869CB

inbound esp sas:

spi: 0x14D869CB (349727179)

SA State: active

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, IKEv1, }

slot: 0, conn_id: 1, crypto-map: s2sCryptoMap

sa timing: remaining key lifetime (kB/sec): (4373999/3196)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x0000001F

outbound esp sas:

spi: 0x0283BAD0 (42187472)

SA State: active

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, IKEv1, }

slot: 0, conn_id: 1, crypto-map: s2sCryptoMap

sa timing: remaining key lifetime (kB/sec): (4374000/3196)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

I simulated a web server on the Cisco 1901 router using a Loopback IP address: 192.168.2.20/24 (for the LAN). I connect from my laptop 192.168.1.10 to the web server 192.168.2.20 and Telnet to R1 using the said Loopback IP address.

My Cybersecurity Journal

Friday, January 1, 2021

Cisco Firepower 1010 Site-to-Site VPN

No comments:

Post a Comment