IOS Site-to-Site VPN | Main Mode (CCIE Notes)


Main Mode States:-

MM_NO_STATE
ISAKMP SA created but nothing else has happened

MM_SA_SETUP
Peers have agreed on the ISAKMP SA parameters

MM_KEY_EXCH
Peers have exchanged DH keys and generated a shared secret. This sets up the base for authenticating the ISAKMP SA with pre-shared-key.

MM_KEY_AUTH
The SA has been authenticated. But this mode is not visible in debugs as it transitions immediately to QM_IDLE

QM_IDLE
ISAKMP SA is authenticated and idle and may be used for subsequent quick mode exchanges.

Configuration:-

Phase 1 – (ISAKMP Policy and Pre-shared-key)

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key cisco123 address 10.1.1.2

Phase 2 (Crypto ACL, transform-set, crypto map and egress interface)

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2
!
crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac 
 mode tunnel
!
crypto map out_map 10 ipsec-isakmp 
 set peer 10.1.1.2
 set transform-set ESP-3DES 
 match address 101
!
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 crypto map out_map

Verification;

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.1.2 10.1.1.1 QM_IDLE 1001 ACTIVE

R1#show crypto isakmp sa detail 
Codes: C - IKE configuration mode, D - Dead Peer Detection
 K - Keepalives, N - NAT-traversal
 T - cTCP encapsulation, X - IKE Extended Authentication
 psk - Preshared key, rsig - RSA signature
 renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local    Remote   I-VRF Status Encr Hash Auth DH Lifetime Cap.
1001 10.1.1.1 10.1.1.2       ACTIVE 3des md5  psk  2  23:58:03 
 Engine-id:Conn-id = SW:1

R1#show crypto isakmp policy 
Global IKE policy
Protection suite of priority 10
 encryption algorithm: Three key triple DES
 hash algorithm: Message Digest 5
 authentication method: Pre-Shared Key
 Diffie-Hellman group: #2 (1024 bit)
 lifetime: 86400 seconds, no volume limit

R1#show crypto isakmp key 
Keyring Hostname/Address Preshared Key
default 10.1.1.2 cisco123

R1#show crypto isakmp peers 
Peer: 10.1.1.2 Port: 500 Local: 10.1.1.1
 Phase1 id: 10.1.1.2

R1#show crypto isakmp sa count 
Active ISAKMP SA's: 1
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
Dead ISAKMP SA's: 0

R1#show crypto isakmp sa active 
IPv4 Crypto ISAKMP SA
dst src state conn-id status

R1#show crypto map
Crypto Map IPv4 "out_map" 10 ipsec-isakmp
 Peer = 10.1.1.2
 Extended IP access list 101
 access-list 101 permit ip host 1.1.1.1 host 2.2.2.2
 Current peer: 10.1.1.2
 Security association lifetime: 4608000 kilobytes/3600 seconds
 Responder-Only (Y/N): N
 PFS (Y/N): N
 Transform sets={ 
 ESP-3DES: { esp-3des esp-md5-hmac } , 
 }
 Interfaces using crypto map out_map:
 FastEthernet0/0
R1#show crypto ipsec sa

interface: FastEthernet0/0
 Crypto map tag: out_map, local addr 10.1.1.1

 protected vrf: (none)
 local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
 remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
 current_peer 10.1.1.2 port 500
 PERMIT, flags={origin_is_acl,}
 #pkts encaps: 230, #pkts encrypt: 230, #pkts digest: 230
 #pkts decaps: 201, #pkts decrypt: 201, #pkts verify: 201
 #pkts compressed: 0, #pkts decompressed: 0
 #pkts not compressed: 0, #pkts compr. failed: 0
 #pkts not decompressed: 0, #pkts decompress failed: 0
 #send errors 0, #recv errors 15

 local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2
 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
 current outbound spi: 0x6E3FAB(7225259)
 PFS (Y/N): N, DH group: none

 inbound esp sas:
 spi: 0xC9E299C9(3387070921)
 transform: esp-3des esp-md5-hmac ,
 in use settings ={Tunnel, }
 conn id: 5, flow_id: 5, sibling_flags 80000040, crypto map: out_map
 sa timing: remaining key lifetime (k/sec): (4205753/301)
 IV size: 8 bytes
 replay detection support: Y
 Status: ACTIVE(ACTIVE)

 inbound ah sas:

 inbound pcp sas:

 outbound esp sas:
 spi: 0x6E3FAB(7225259)
 transform: esp-3des esp-md5-hmac ,
 in use settings ={Tunnel, }
 conn id: 6, flow_id: 6, sibling_flags 80000040, crypto map: out_map
 sa timing: remaining key lifetime (k/sec): (4205751/301)
 IV size: 8 bytes
 replay detection support: Y
 Status: ACTIVE(ACTIVE)

 outbound ah sas:

 outbound pcp sas:

R1#show crypto ipsec security-association 
Security association lifetime: 4608000 kilobytes/3600 seconds

R1#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac } 
 will negotiate = { Transport, }, 

Transform set ESP-3DES: { esp-3des esp-md5-hmac } 
 will negotiate = { Tunnel, },

R1#show crypto engine connections active 
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
 7 IPsec 3DES+MD5 0 10 11 10.1.12.1
 8 IPsec 3DES+MD5 13 0 0 10.1.12.1
 1002 IKE MD5+3DES 0 0 0 10.1.12.1

R1#debug crypto isakmp
Crypto ISAKMP debugging is on

R1#debug crypto ipsec 
Crypto IPSEC debugging is on

Main Mode Messages (Phase 1):-

IKE_I_MM1 (SENT)

Checks for Aggressive mode, if not found, negotiation starts using Main mode (6 messages). Initiator sends the first packet containing the locally configured ISAKMP policy/policies to be chosen by the responder. 
*Jun 24 09:14:09.171: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

IKE_I_MM2 (Received)

Initiator receives packet sent by the responder. The packet contains SA (ISAKMP Policy) chosen by the peer and Vendor IDs (NAT-T and DPD). The router matches ISAKMP policy from the packet with the locally configured policy, if a match is found the tunnel moves to the IKE_I_MM2.
*Jun 24 09:14:09.275: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

IKE_I_MM3 (Sent)

In this message, Key Exchange information for DH secure key exchange is sent out.
*Jun 24 09:14:09.299: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

IKE_I_MM4 (Received)

This message is received from the responder and contains Key Exchange payload so both peers can generate a common session key that can be used to secure further communications. After this message, peers can check for any NAT along the path.
*Jun 24 09:14:09.379: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

IKE_I_MM5 (Sent)

This message is sent out with authentication information protected by the common shared secret (DH).
*Jun 24 09:14:09.499: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jun 24 09:14:09.503: ISAKMP:(1002): sending packet to 10.1.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jun 24 09:14:09.507: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5

IKE_I_MM6 (Received)

This message finishes Phase 1. The peer identity is verified and ISAKMP SA is established. 
*Jun 24 09:14:09.599: ISAKMP (1002): received packet from 10.1.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jun 24 09:14:09.623: ISAKMP:(1002):SA authentication status:
authenticated
*Jun 24 09:14:09.623: ISAKMP:(1002):SA has been authenticated with 10.1.1.2
*Jun 24 09:14:09.623: ISAKMP:(1002):Old State = IKE_I_MM5 New State = IKE_I_MM6 
*Jun 24 09:14:09.631: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE 
*Jun 24 09:14:09.771: ISAKMP (1002): received packet from 10.1.1.2 dport 500 sport 500 Global (I) QM_IDLE

Quick Mode Messages (Phase 2):-

IKE_QM_I_QM1

The initiator sends out packet containing the local proxy IDs and parameters defined in the transform-set for the peer.
*Jun 24 09:14:09.639: ISAKMP:(1002): sending packet to 10.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 24 09:14:09.655: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

IKE_QM_R_QM2

Second message is from the responder containing the IPsec policy chosen by the peer and the proxy ID.
Responder;
*Jun 24 09:14:09.799: ISAKMP:(1002):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
 Initiator;
*Jun 24 09:14:09.771: ISAKMP (1002): received packet from 10.1.1.2 dport 500 sport 500 Global (I) QM_IDLE 
*Jun 24 09:14:09.791: ISAKMP: transform 1, ESP_3DES

(key eng. msg.) INBOUND local= 10.1.1.1:0, remote= 10.1.1.2:0,
local_proxy= 1.1.1.1/255.255.255.255/256/0,
remote_proxy= 2.2.2.2/255.255.255.255/256/0,
protocol= ESP, transform= NONE (Tunnel),

*Jun 24 09:14:09.803: ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_IPSEC_INSTALL_AWAIT

IKE_QM_PHASE2_COMPLETE

The last message finishes QM and phase two session key is derived from DH shared secret and will be used for encryption until the phase 2 lifetime expires.
Initiator;
*Jun 24 09:14:09.855: ISAKMP:(1002): sending packet to 10.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE 
*Jun 24 09:14:09.867: ISAKMP:(1002):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_PHASE2_COMPLETE
Responder;
*Jun 24 09:14:09.939: ISAKMP:(1002):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s