Basic Pre-Shared Key IPSec using ISA-KMP


 

Network Schematic

This is a simple pre-shared key IPSec configuration using ISA-KMP session setup.  It uses a two router Internet simulation so that I could insert a hub and pick off traffic to see encapsulated IPSec packets as well as standard ones.  Representative packet captures from EtherReal are show in the bottom two cells of the table.

 

Route Generator #1

 

r2501b#sh run

!

version 12.2

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname r2501b

!

logging rate-limit console 10 except errors

enable secret 5 $1$ZfnL$V.s0AFl67aN8q2OnZJMj/0

!

username all

ip subnet-zero

no ip finger

!

no ip dhcp-client network-discovery

!

interface Loopback5

 ip address 192.168.148.1 255.255.255.0

!

interface Loopback6

 ip address 192.168.149.1 255.255.255.0

!

interface Ethernet0

 no ip address

 shutdown

!

interface Serial0

 bandwidth 250

 ip address 192.168.144.2 255.255.255.252

 no fair-queue

!

interface Serial1

 no ip address

 shutdown

 fair-queue

!

router eigrp 100

 network 192.168.144.0 0.0.0.3

 network 192.168.148.0

 network 192.168.149.0

 no default-information out

 no auto-summary

 no eigrp log-neighbor-changes

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.144.1

no ip http server

!

!

line con 0

 session-timeout 2880

 exec-timeout 2880 0

 transport input none

line aux 0

line vty 0 4

 session-timeout 2880

 exec-timeout 2880 0

 password wiener

 login

!

end


 

IPSec Router #1

 

r3660#sh run

!

version 12.2

hostname r3660

!

enable secret 5 $1$1nh4$YxcydCPboGGl/aq0zgeLW/

!

ip subnet-zero

!

crypto isakmp policy 9

 hash md5

 authentication pre-share

crypto isakmp key jughead address 192.168.160.6

!

crypto ipsec transform-set r4500b esp-des esp-md5-hmac

!

crypto map r4500b 30 ipsec-isakmp

 set peer 192.168.160.6

 set transform-set r4500b

 match address r4500b1

!

interface Loopback0

 ip address 192.168.255.254 255.255.255.255

!

interface Loopback1

 ip address 192.168.128.129 255.255.255.128

!

interface Loopback2

 ip address 192.168.130.1 255.255.255.0

!

interface Loopback3

 ip address 192.168.129.1 255.255.255.0

!

interface Ethernet4/0

 no ip address

 no ip mroute-cache

 half-duplex

!

interface Serial4/0

 ip address 192.168.160.2 255.255.255.252

 clockrate 250000

 crypto map r4500b

!

interface Serial4/1

 ip address 192.168.144.1 255.255.255.252

!

router eigrp 100

 redistribute static

 network 192.168.128.128 0.0.0.127

 network 192.168.129.0

 network 192.168.130.0

 network 192.168.144.0 0.0.0.3

 no auto-summary

 no eigrp log-neighbor-changes

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.160.1

no ip http server

ip pim bidir-enable

!

!

ip access-list extended r4500b1

 permit ip 192.168.128.0 0.0.31.255 192.168.161.0 0.0.0.255

 permit ip 192.168.128.0 0.0.31.255 192.168.162.0 0.0.1.255

 permit ip 192.168.128.0 0.0.31.255 192.168.164.0 0.0.3.255

 permit ip 192.168.128.0 0.0.31.255 192.168.168.0 0.0.7.255

 permit ip 192.168.128.0 0.0.31.255 192.168.176.0 0.0.15.255

logging facility local0

!

!

line con 0

 session-timeout 2880

 exec-timeout 2880 0

 logging synchronous

line 33 48

 logging synchronous

 no exec

 transport input telnet

line aux 0

 logging synchronous

 modem InOut

 modem autoconfigure type default

 transport input all

 speed 115200

line vty 0 4

 exec-timeout 0 0

 password 7 01040F01550E14

 login

!

end

 

I'net Router #1

r1601#sh run

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname r1601

!

no logging buffered

enable secret level 3 5 $1$1EHd$.ch2nSSlH4anN28oceHNG0

enable secret 5 $1$CKeB$.4ea/.zzAORMvgsxy5/kS1

!

ip subnet-zero

!

!

clock timezone pst -8

clock summer-time pdt recurring

!

interface Ethernet0

 ip address 192.168.6.101 255.255.255.0

 no ip directed-broadcast

 no ip route-cache

 no ip mroute-cache

 media-type 10BaseT

!

interface Serial0

 ip address 192.168.160.1 255.255.255.252

 no ip directed-broadcast

 no ip route-cache

 no ip mroute-cache

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.6.100

ip route 192.168.128.0 255.255.224.0 192.168.160.2

ip route 192.168.160.4 255.255.255.252 192.168.6.100

!

snmp-server community nels0n RO

snmp-server community nels0nrw RW

!

line con 0

 session-timeout 2880

 exec-timeout 2880 0

 password 7 111E1000191719

 logging synchronous

 login

 transport input none

line vty 0 4

 session-timeout 2880

 exec-timeout 2880 0

 password 7 095B470C170005

 login

!

end

I'net Router #2

 

r4500t#sh run

Current configuration : 1200 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname r4500t

!

enable secret 5 $1$.EUK$Cf2XkxivjcOsLFc3rpVV00

!

clock timezone PST -8

clock summer-time PDT recurring

ip subnet-zero

!

ip ssh time-out 120

ip ssh authentication-retries 3

frame-relay switching

!

interface Ethernet0

 no ip address

 shutdown

!

interface Ethernet1

 ip address 192.168.6.100 255.255.255.0

 media-type 10BaseT

!

interface Serial0

 no ip address

 shutdown

!

interface Serial1

 no ip address

 shutdown

!

interface Serial2

 no ip address

 clockrate 250000

!

interface Serial3

 no ip address

!

interface Serial4

 bandwidth 250

 no ip address

 shutdown

!

interface Serial5

 ip address 192.168.160.5 255.255.255.252

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.160.6

ip route 192.168.128.0 255.255.224.0 192.168.6.101

ip route 192.168.160.0 255.255.255.252 192.168.6.101

no ip http server

!

logging trap debugging

!

line con 0

 session-timeout 2880

 exec-timeout 2880 0

 logging synchronous

line aux 0

line vty 0 4

 session-timeout 2880

 access-class 1 in

 exec-timeout 2880 0

 password 7 01040F01550E14

 login

line vty 5

 access-class 1 in

 login

!

end

 

IPSec Router #2

 

r4500b#sh run

Current configuration : 2177 bytes

!

version 12.2

!

hostname r4500b

!

enable secret 5 $1$dmkQ$LhX8ezIO8y81ypOR34wvt.

!

ip subnet-zero

!

crypto isakmp policy 10

 hash md5

 authentication pre-share

crypto isakmp key jughead address 192.168.160.2

!

!

crypto ipsec transform-set r3660 esp-des esp-md5-hmac

!

crypto map r3660 20 ipsec-isakmp

 set peer 192.168.160.2

 set transform-set r3660

 match address r3660a

!

interface Loopback0

 ip address 192.168.172.1 255.255.255.0

!

interface Loopback1

 ip address 192.168.173.1 255.255.255.0

!

interface Loopback4

 ip address 192.168.161.1 255.255.255.0

!

interface Loopback5

 ip address 192.168.162.1 255.255.255.0

!

interface Ethernet0

 no ip address

 shutdown

 media-type 10BaseT

!

interface Ethernet1

 no ip address

!

interface Serial0

 ip address 192.168.176.1 255.255.255.252

!

interface Serial1

 ip address 192.168.160.6 255.255.255.252

 clockrate 250000

 crypto map r3660

!

router eigrp 100

 redistribute static

 network 192.168.161.0

 network 192.168.162.0

 network 192.168.172.0

 network 192.168.173.0

 network 192.168.176.0 0.0.0.3

 no auto-summary

 no eigrp log-neighbor-changes

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.160.5

no ip http server

!

!

ip access-list extended r3660a

 permit ip 192.168.161.0 0.0.0.255 192.168.128.0 0.0.31.255

 permit ip 192.168.162.0 0.0.1.255 192.168.128.0 0.0.31.255

 permit ip 192.168.164.0 0.0.3.255 192.168.128.0 0.0.31.255

 permit ip 192.168.168.0 0.0.7.255 192.168.128.0 0.0.31.255

 permit ip 192.168.176.0 0.0.15.255 192.168.128.0 0.0.31.255

!

!

line con 0

 session-timeout 2880

 exec-timeout 2880 0

 logging synchronous

line aux 0

line vty 0 4

 session-timeout 2880

 exec-timeout 2880 0

 password wiener

 login

!

end

 

Router Generator #2

 

r2501t#sh run

Current configuration : 930 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname r2501t

!

enable secret 5 $1$bOoZ$iOe5Ot0pqnS6LxDIisVUp0

enable password wiener

!

username all

ip subnet-zero

!

interface Loopback4

 ip address 192.168.184.1 255.255.255.0

!

interface Loopback5

 ip address 192.168.185.1 255.255.255.0

!

interface Ethernet0

 no ip address

 no ip mroute-cache

 shutdown

!

interface Serial0

 no ip address

 no ip mroute-cache

 shutdown

!

interface Serial1

 bandwidth 250

 ip address 192.168.176.2 255.255.255.252

 no ip mroute-cache

 clockrate 250000

!

router eigrp 100

 network 192.168.176.0 0.0.0.3

 network 192.168.184.0

 network 192.168.185.0

 no auto-summary

!

ip classless

no ip http server

!

!

line con 0

 session-timeout 2880

 exec-timeout 2880 0

 logging synchronous

line aux 0

line vty 0 4

 session-timeout 2880

 exec-timeout 2880 0

 password wiener

 login

!

end

 

Ping from r2501t to tunnel wall r1601/s1 and reply echo

 Frame 14 (114 bytes on wire, 114 bytes captured)

    Arrival Time: May  8, 2003 13:05:04.309774000

    Time delta from previous packet: 0.497324000 seconds

    Time relative to first packet: 5.173657000 seconds

    Frame Number: 14

    Packet Length: 114 bytes

    Capture Length: 114 bytes

Ethernet II, Src: 00:60:47:1f:82:fd, Dst: 00:50:54:98:ab:f5

    Destination: 00:50:54:98:ab:f5 (Cisco_98:ab:f5)

    Source: 00:60:47:1f:82:fd (Cisco_1f:82:fd)

    Type: IP (0x0800)

Internet Protocol, Src Addr: 192.168.176.2 (192.168.176.2), Dst Addr: 192.168.160.1 (192.168.160.1)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 100

    Identification: 0x00a0 (160)

    Flags: 0x00

        .0.. = Don't fragment: Not set

        ..0. = More fragments: Not set

    Fragment offset: 0

    Time to live: 253

    Protocol: ICMP (0x01)

    Header checksum: 0xeba3 (correct)

    Source: 192.168.176.2 (192.168.176.2)

    Destination: 192.168.160.1 (192.168.160.1)

Internet Control Message Protocol

    Type: 8 (Echo (ping) request)

    Code: 0

    Checksum: 0x9169 (correct)

    Identifier: 0x1fc7

    Sequence number: 0f:90

    Data (72 bytes)

 

Frame 15 (114 bytes on wire, 114 bytes captured)

    Arrival Time: May  8, 2003 13:05:04.312403000

    Time delta from previous packet: 0.002629000 seconds

    Time relative to first packet: 5.176286000 seconds

    Frame Number: 15

    Packet Length: 114 bytes

    Capture Length: 114 bytes

Ethernet II, Src: 00:50:54:98:ab:f5, Dst: 00:60:47:1f:82:fd

    Destination: 00:60:47:1f:82:fd (Cisco_1f:82:fd)

    Source: 00:50:54:98:ab:f5 (Cisco_98:ab:f5)

    Type: IP (0x0800)

Internet Protocol, Src Addr: 192.168.160.1 (192.168.160.1), Dst Addr: 192.168.176.2 (192.168.176.2)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 100

    Identification: 0x00a0 (160)

    Flags: 0x00

        .0.. = Don't fragment: Not set

        ..0. = More fragments: Not set

    Fragment offset: 0

    Time to live: 255

    Protocol: ICMP (0x01)

    Header checksum: 0xe9a3 (correct)

    Source: 192.168.160.1 (192.168.160.1)

    Destination: 192.168.176.2 (192.168.176.2)

Internet Control Message Protocol

    Type: 0 (Echo (ping) reply)

    Code: 0

    Checksum: 0x9969 (correct)

    Identifier: 0x1fc7

    Sequence number: 0f:90

    Data (72 bytes)

Ping from one tunnel point (r2501t) to another (r2501b) with echo reply.  Note source and destination are the IPSec routers and packets are padded to 124 bytes.

 

Frame 29 (166 bytes on wire, 166 bytes captured)

    Arrival Time: May  8, 2003 13:05:06.620073000

    Time delta from previous packet: 0.183885000 seconds

    Time relative to first packet: 7.483956000 seconds

    Frame Number: 29

    Packet Length: 166 bytes

    Capture Length: 166 bytes

Ethernet II, Src: 00:60:47:1f:82:fd, Dst: 00:50:54:98:ab:f5

    Destination: 00:50:54:98:ab:f5 (Cisco_98:ab:f5)

    Source: 00:60:47:1f:82:fd (Cisco_1f:82:fd)

    Type: IP (0x0800)

Internet Protocol, Src Addr: 192.168.160.6 (192.168.160.6), Dst Addr: 192.168.160.2 (192.168.160.2)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 152

    Identification: 0x1bdf (7135)

    Flags: 0x00

        .0.. = Don't fragment: Not set

        ..0. = More fragments: Not set

    Fragment offset: 0

    Time to live: 254

    Protocol: ESP (0x32)

    Header checksum: 0xdefa (correct)

    Source: 192.168.160.6 (192.168.160.6)

    Destination: 192.168.160.2 (192.168.160.2)

Encapsulating Security Payload

    SPI: 0x9135a700

    Sequence: 0x00000005

    Data (124 bytes)

 

Frame 30 (166 bytes on wire, 166 bytes captured)

    Arrival Time: May  8, 2003 13:05:06.640412000

    Time delta from previous packet: 0.020339000 seconds

    Time relative to first packet: 7.504295000 seconds

    Frame Number: 30

    Packet Length: 166 bytes

    Capture Length: 166 bytes

Ethernet II, Src: 00:50:54:98:ab:f5, Dst: 00:60:47:1f:82:fd

    Destination: 00:60:47:1f:82:fd (Cisco_1f:82:fd)

    Source: 00:50:54:98:ab:f5 (Cisco_98:ab:f5)

    Type: IP (0x0800)

Internet Protocol, Src Addr: 192.168.160.2 (192.168.160.2), Dst Addr: 192.168.160.6 (192.168.160.6)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 152

    Identification: 0xc8b4 (51380)

    Flags: 0x00

        .0.. = Don't fragment: Not set

        ..0. = More fragments: Not set

    Fragment offset: 0

    Time to live: 254

    Protocol: ESP (0x32)

    Header checksum: 0x3225 (correct)

    Source: 192.168.160.2 (192.168.160.2)

    Destination: 192.168.160.6 (192.168.160.6)

Encapsulating Security Payload

    SPI: 0x37a43813

    Sequence: 0x00000005

    Data (124 bytes)