ASA-5505 IPSEC VPN

 

 

 

 


Network Diagram:

192.168.1.0/24 -- 10.0.1.1 <--->  10.0.2.1 -- 192.168.2.0/24

 


IPSEC Protocol Architecture

 

Firewall: ESP(protocol 50), AH(protocol 51) and IKE(UDP 500)

  • Authentication: Authentication Header (AH) and  Encapsulating Security Payload (ESP)
  • Integrity: Encapsulating Security Payload (ESP)
  • Confidentiality: Encapsulating Security Payload  (ESP)
  • Bringing it all together: Internet key Exchange (IKE)

 


Configuration

 


Verify

 

P1 info.

show crypto isakmp sa

正常時:

       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1

    1   IKE Peer: w.w.w.w
        Type    : L2L             Role    : initiator
        Rekey   : no              State   : MM_ACTIVE

沒有 SA 時

There are no isakmp sas

Initiator 有機會出現的 Error

  • MM_WAIT_MSG2
  • MM_WAIT_MSG4
  • MM_WAIT_MSG6

MM_WAIT_MSG2

Initiator Initial DH public key sent to responder.
Awaiting initial contact reply from other side.

stuck on MM_WAIT_MSG2 for 2 reasons:

1. either an issue with the phase1 policies on the remote end

2. UDP 500 is not reaching the remote end or
   the remote end is sending the UDP 500 packet back and is not reaching the local ASA.

show crypto isakmp sa detail

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.0.2.1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : des             Hash    : MD5
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 85286

P2 info.

show crypto ipsec sa [detail]

正常時

interface: outside
    Crypto map tag: map1, seq num: 30, local addr: 10.0.1.1

      access-list crypto_30_al extended permit ip host 192.168.1.254 192.168.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 10.0.2.1

      #pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
      #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 12, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.1.1, remote crypto endpt.: 10.0.2.1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 3EEB1391
      current inbound spi : CC665787

    inbound esp sas:
      spi: 0xCC665787 (3429259143)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 6467584, crypto-map: map1
         sa timing: remaining key lifetime (kB/sec): (4373999/3324)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x000007FF
    outbound esp sas:
      spi: 0x3EEB1391 (1055593361)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 6467584, crypto-map: map1
         sa timing: remaining key lifetime (kB/sec): (4373999/3322)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

沒有 connection 時

There are no ipsec sas

 


Statistics

 

# Show ISAKMP statistics

show crypto isakmp stats

Output:

    Global IKE Statistics
    Active Tunnels: 0
    Previous Tunnels: 1545
    In Octets: 3915864
    In Packets: 20219
    ...............
    Out Octets: 2695472
    Out Packets: 22221
    ...............

# Show IPsec global statistics

show crypto ipsec stats

Output:

IPsec Global Statistics
-----------------------
Active tunnels: 0
Previous tunnels: 4166
Inbound
    Bytes: 0
    Decompressed bytes: 0
    Packets: 577500
    Dropped packets: 0
    Replay failures: 0
    Authentications: 577500
    Authentication failures: 0
    Decryptions: 577500
    Decryption failures: 0
    Decapsulated fragments needing reassembly: 0
Outbound
    Bytes: 0
    Uncompressed bytes: 0
    Packets: 655748
    Dropped packets: 0
    Authentications: 655748
    Authentication failures: 0
    Encryptions: 655748
    Encryption failures: 0
    Fragmentation successes: 0
        Pre-fragmentation successses: 0
        Post-fragmentation successes: 0
    Fragmentation failures: 0
        Pre-fragmentation failures: 0
        Post-fragmentation failures: 0
    Fragments created: 0
    PMTUs sent: 0
    PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0

 


VPN

 

show vpn-sessiondb [opts]

Active Session Summary

Sessions:
                           Active : Cumulative : Peak Concurrent : Inactive
  SSL VPN               :       0 :          0 :               0
    Clientless only     :       0 :          0 :               0
    With client         :       0 :          0 :               0 :        0
  Email Proxy           :       0 :          0 :               0
  IPsec LAN-to-LAN      :       1 :       1546 :               2
  IPsec Remote Access   :       0 :          0 :               0
  Totals                :       1 :       1546

License Information:
  IPsec   :     25    Configured :     25    Active :      1    Load :   4%
  SSL VPN :      2    Configured :      2    Active :      0    Load :   0%
                            Active : Cumulative : Peak Concurrent
  IPsec               :          1 :       1546 :               2
  SSL VPN             :          0 :          0 :               0
    AnyConnect Mobile :          0 :          0 :               0
    Linksys Phone     :          0 :          0 :               0
  Totals              :          1 :       1546

Tunnels:
               Active : Cumulative : Peak Concurrent
  IKE    :          1 :       1546 :               2
  IPsec  :          1 :       1548 :               3
  Totals :          2 :       3094

Active NAC Sessions:
  No NAC sessions to display

Active VLAN Mapping Sessions:
  No VLAN Mapping sessions to display

opts:

  • l2l          IPsec LAN-to-LAN sessions
  • summary      Show VPN Session summary
  • ...........

show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection   : 10.0.2.1
Index        : 1579                   IP Addr      : 10.0.2.1
Protocol     : IKE IPsec
Encryption   : DES                    Hashing      : MD5
Bytes Tx     : 1270                   Bytes Rx     : 1242
Login Time   : 11:00:32 HKST Wed Jun 25 2014
Duration     : 0h:23m:10s

 


Disconnect active VPN tunnels

 

# Phase 1 (deletes the active IKE security associations for the specified peer)

clear crypto isakmp sa <peer ip address>

# Phase 2 (deletes the active IPSec security associations for the specified peer)

clear crypto ipsec sa peer <peer IP address>

 


Debug

 

# default debug level 1

debug crypto isakmp <debug level>

debug crypto ipsec <debug level>