Basic Pre-Shared Key IPSec using ISA-KMP
This is a simple pre-shared key IPSec configuration using ISA-KMP session setup. It uses a two router Internet simulation so that I could insert a hub and pick off traffic to see encapsulated IPSec packets as well as standard ones. Representative packet captures from EtherReal are show in the bottom two cells of the table.
|
|
Route Generator #1
r2501b#sh
run ! version
12.2 no
service single-slot-reload-enable service
timestamps debug uptime service
timestamps log uptime no
service password-encryption ! hostname
r2501b ! logging
rate-limit console 10 except errors enable
secret 5 $1$ZfnL$V.s0AFl67aN8q2OnZJMj/0 ! username
all ip
subnet-zero no
ip finger ! no
ip dhcp-client network-discovery ! interface
Loopback5 ip
address 192.168.148.1 255.255.255.0 ! interface
Loopback6 ip
address 192.168.149.1 255.255.255.0 ! interface
Ethernet0 no
ip address shutdown ! interface
Serial0 bandwidth
250 ip
address 192.168.144.2 255.255.255.252 no
fair-queue ! interface
Serial1 no
ip address shutdown fair-queue ! router
eigrp 100 network
192.168.144.0 0.0.0.3 network
192.168.148.0 network
192.168.149.0 no
default-information out no
auto-summary no
eigrp log-neighbor-changes ! ip
classless ip
route 0.0.0.0 0.0.0.0 192.168.144.1 no
ip http server ! ! line
con 0 session-timeout
2880 exec-timeout
2880 0 transport
input none line
aux 0 line
vty 0 4 session-timeout
2880 exec-timeout
2880 0 password
wiener login ! end
|
IPSec Router #1
r3660#sh
run ! version
12.2 hostname
r3660 ! enable
secret 5 $1$1nh4$YxcydCPboGGl/aq0zgeLW/ ! ip
subnet-zero ! crypto
isakmp policy 9 hash
md5 authentication
pre-share crypto
isakmp key jughead address 192.168.160.6 ! crypto
ipsec transform-set r4500b esp-des esp-md5-hmac ! crypto
map r4500b 30 ipsec-isakmp set
peer 192.168.160.6 set
transform-set r4500b match
address r4500b1 ! interface
Loopback0 ip
address 192.168.255.254 255.255.255.255 ! interface
Loopback1 ip
address 192.168.128.129 255.255.255.128 ! interface
Loopback2 ip
address 192.168.130.1 255.255.255.0 ! interface
Loopback3 ip
address 192.168.129.1 255.255.255.0 ! interface
Ethernet4/0 no
ip address no
ip mroute-cache half-duplex ! interface
Serial4/0 ip
address 192.168.160.2 255.255.255.252 clockrate
250000 crypto
map r4500b ! interface
Serial4/1 ip
address 192.168.144.1 255.255.255.252 ! router
eigrp 100 redistribute
static network
192.168.128.128 0.0.0.127 network
192.168.129.0 network
192.168.130.0 network
192.168.144.0 0.0.0.3 no
auto-summary no
eigrp log-neighbor-changes ! ip
classless ip
route 0.0.0.0 0.0.0.0 192.168.160.1 no
ip http server ip
pim bidir-enable ! ! ip
access-list extended r4500b1 permit
ip 192.168.128.0 0.0.31.255 192.168.161.0 0.0.0.255 permit
ip 192.168.128.0 0.0.31.255 192.168.162.0 0.0.1.255 permit
ip 192.168.128.0 0.0.31.255 192.168.164.0 0.0.3.255 permit
ip 192.168.128.0 0.0.31.255 192.168.168.0 0.0.7.255 permit
ip 192.168.128.0 0.0.31.255 192.168.176.0 0.0.15.255 logging
facility local0 ! ! line
con 0 session-timeout
2880 exec-timeout
2880 0 logging
synchronous line
33 48 logging
synchronous no
exec transport
input telnet line
aux 0 logging
synchronous modem
InOut modem
autoconfigure type default transport
input all speed
115200 line
vty 0 4 exec-timeout
0 0 password
7 01040F01550E14 login ! end
|
I'net Router #1 r1601#sh
run ! version
12.0 service
timestamps debug uptime service
timestamps log uptime service
password-encryption ! hostname
r1601 ! no
logging buffered enable
secret level 3 5 $1$1EHd$.ch2nSSlH4anN28oceHNG0 enable
secret 5 $1$CKeB$.4ea/.zzAORMvgsxy5/kS1 ! ip
subnet-zero ! ! clock
timezone pst -8 clock
summer-time pdt recurring ! interface
Ethernet0 ip
address 192.168.6.101 255.255.255.0 no
ip directed-broadcast no
ip route-cache no
ip mroute-cache media-type
10BaseT ! interface
Serial0 ip
address 192.168.160.1 255.255.255.252 no
ip directed-broadcast no
ip route-cache no
ip mroute-cache ! ip
classless ip
route 0.0.0.0 0.0.0.0 192.168.6.100 ip
route 192.168.128.0 255.255.224.0 192.168.160.2 ip
route 192.168.160.4 255.255.255.252 192.168.6.100 ! snmp-server
community nels0n RO snmp-server
community nels0nrw RW ! line
con 0 session-timeout
2880 exec-timeout
2880 0 password
7 111E1000191719 logging
synchronous login transport
input none line
vty 0 4 session-timeout
2880 exec-timeout
2880 0 password
7 095B470C170005 login ! end |
I'net Router #2
r4500t#sh
run Current
configuration : 1200 bytes ! version
12.2 service
timestamps debug uptime service
timestamps log uptime service
password-encryption ! hostname
r4500t ! enable
secret 5 $1$.EUK$Cf2XkxivjcOsLFc3rpVV00 ! clock
timezone PST -8 clock
summer-time PDT recurring ip
subnet-zero ! ip
ssh time-out 120 ip
ssh authentication-retries 3 frame-relay
switching ! interface
Ethernet0 no
ip address shutdown ! interface
Ethernet1 ip
address 192.168.6.100 255.255.255.0 media-type
10BaseT ! interface
Serial0 no
ip address shutdown ! interface
Serial1 no
ip address shutdown ! interface
Serial2 no
ip address clockrate
250000 ! interface
Serial3 no
ip address ! interface
Serial4 bandwidth
250 no
ip address shutdown ! interface
Serial5 ip
address 192.168.160.5 255.255.255.252 ! ip
classless ip
route 0.0.0.0 0.0.0.0 192.168.160.6 ip
route 192.168.128.0 255.255.224.0 192.168.6.101 ip
route 192.168.160.0 255.255.255.252 192.168.6.101 no
ip http server ! logging
trap debugging ! line
con 0 session-timeout
2880 exec-timeout
2880 0 logging
synchronous line
aux 0 line
vty 0 4 session-timeout
2880 access-class
1 in exec-timeout
2880 0 password
7 01040F01550E14 login line
vty 5 access-class
1 in login ! end
|
IPSec Router #2
r4500b#sh
run Current
configuration : 2177 bytes ! version
12.2 ! hostname
r4500b ! enable
secret 5 $1$dmkQ$LhX8ezIO8y81ypOR34wvt. ! ip
subnet-zero ! crypto
isakmp policy 10 hash
md5 authentication
pre-share crypto
isakmp key jughead address 192.168.160.2 ! ! crypto
ipsec transform-set r3660 esp-des esp-md5-hmac ! crypto
map r3660 20 ipsec-isakmp set
peer 192.168.160.2 set
transform-set r3660 match
address r3660a ! interface
Loopback0 ip
address 192.168.172.1 255.255.255.0 ! interface
Loopback1 ip
address 192.168.173.1 255.255.255.0 ! interface
Loopback4 ip
address 192.168.161.1 255.255.255.0 ! interface
Loopback5 ip
address 192.168.162.1 255.255.255.0 ! interface
Ethernet0 no
ip address shutdown media-type
10BaseT ! interface
Ethernet1 no
ip address ! interface
Serial0 ip
address 192.168.176.1 255.255.255.252 ! interface
Serial1 ip
address 192.168.160.6 255.255.255.252 clockrate
250000 crypto
map r3660 ! redistribute
static network
192.168.161.0 network
192.168.162.0 network
192.168.172.0 network
192.168.173.0 network
192.168.176.0 0.0.0.3 no
auto-summary no
eigrp log-neighbor-changes ! ip
classless ip
route 0.0.0.0 0.0.0.0 192.168.160.5 no
ip http server ! ! ip
access-list extended r3660a permit
ip 192.168.161.0 0.0.0.255 192.168.128.0 0.0.31.255 permit
ip 192.168.162.0 0.0.1.255 192.168.128.0 0.0.31.255 permit
ip 192.168.164.0 0.0.3.255 192.168.128.0 0.0.31.255 permit
ip 192.168.168.0 0.0.7.255 192.168.128.0 0.0.31.255 permit
ip 192.168.176.0 0.0.15.255 192.168.128.0 0.0.31.255 ! ! line
con 0 session-timeout
2880 exec-timeout
2880 0 logging
synchronous line
aux 0 line
vty 0 4 session-timeout
2880 exec-timeout
2880 0 password
wiener login ! end
|
Router Generator #2
r2501t#sh
run Current
configuration : 930 bytes ! version
12.2 service
timestamps debug uptime service
timestamps log uptime no
service password-encryption ! hostname
r2501t ! enable
secret 5 $1$bOoZ$iOe5Ot0pqnS6LxDIisVUp0 enable
password wiener ! username
all ip
subnet-zero ! interface
Loopback4 ip
address 192.168.184.1 255.255.255.0 ! interface
Loopback5 ip
address 192.168.185.1 255.255.255.0 ! interface
Ethernet0 no
ip address no
ip mroute-cache shutdown ! interface
Serial0 no
ip address no
ip mroute-cache shutdown ! interface
Serial1 bandwidth
250 ip
address 192.168.176.2 255.255.255.252 no
ip mroute-cache clockrate
250000 ! router
eigrp 100 network
192.168.176.0 0.0.0.3 network
192.168.184.0 network
192.168.185.0 no
auto-summary ! ip
classless no
ip http server ! ! line
con 0 session-timeout
2880 exec-timeout
2880 0 logging
synchronous line
aux 0 line
vty 0 4 session-timeout
2880 exec-timeout
2880 0 password
wiener login ! end
|
Ping from r2501t to tunnel wall r1601/s1 and reply echo
Arrival Time:
Time delta from previous packet: 0.497324000 seconds
Time relative to first packet: 5.173657000 seconds
Frame Number: 14
Packet Length: 114 bytes
Capture Length: 114 bytes Ethernet
II, Src: 00:60:47:1f:82:fd, Dst: 00:50:54:98:ab:f5
Destination: 00:50:54:98:ab:f5 (Cisco_98:ab:f5)
Source: 00:60:47:1f:82:fd (Cisco_1f:82:fd)
Type: IP (0x0800) Internet
Protocol, Src Addr: 192.168.176.2 (192.168.176.2), Dst Addr: 192.168.160.1
(192.168.160.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 100
Identification: 0x00a0 (160)
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 253
Protocol: ICMP (0x01)
Header checksum: 0xeba3 (correct)
Source: 192.168.176.2 (192.168.176.2)
Destination: 192.168.160.1 (192.168.160.1) Internet
Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0x9169 (correct)
Identifier: 0x1fc7
Sequence number: 0f:90
Data (72 bytes) Frame
15 (114 bytes on wire, 114 bytes captured)
Arrival Time:
Time delta from previous packet: 0.002629000 seconds
Time relative to first packet: 5.176286000 seconds
Frame Number: 15
Packet Length: 114 bytes
Capture Length: 114 bytes Ethernet
II, Src: 00:50:54:98:ab:f5, Dst: 00:60:47:1f:82:fd
Destination: 00:60:47:1f:82:fd (Cisco_1f:82:fd)
Source: 00:50:54:98:ab:f5 (Cisco_98:ab:f5)
Type: IP (0x0800) Internet
Protocol, Src Addr: 192.168.160.1 (192.168.160.1), Dst Addr: 192.168.176.2
(192.168.176.2)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 100
Identification: 0x00a0 (160)
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: ICMP (0x01)
Header checksum: 0xe9a3 (correct)
Source: 192.168.160.1 (192.168.160.1)
Destination: 192.168.176.2 (192.168.176.2) Internet
Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0
Checksum: 0x9969 (correct)
Identifier: 0x1fc7
Sequence number: 0f:90
Data (72 bytes) |
Ping
from one tunnel point (r2501t)
to another (r2501b)
with echo reply.
Note source and destination are the IPSec routers and packets are padded
to 124 bytes. Frame
29 (166 bytes on wire, 166 bytes captured)
Arrival Time:
Time delta from previous packet: 0.183885000 seconds
Time relative to first packet: 7.483956000 seconds
Frame Number: 29
Packet Length: 166 bytes
Capture Length: 166 bytes Ethernet
II, Src: 00:60:47:1f:82:fd, Dst: 00:50:54:98:ab:f5
Destination: 00:50:54:98:ab:f5 (Cisco_98:ab:f5)
Source: 00:60:47:1f:82:fd (Cisco_1f:82:fd)
Type: IP (0x0800) Internet
Protocol, Src Addr: 192.168.160.6 (192.168.160.6), Dst Addr: 192.168.160.2
(192.168.160.2)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 152
Identification: 0x1bdf (7135)
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 254
Protocol: ESP (0x32)
Header checksum: 0xdefa (correct)
Source: 192.168.160.6 (192.168.160.6)
Destination: 192.168.160.2 (192.168.160.2) Encapsulating
Security Payload
SPI: 0x9135a700
Sequence: 0x00000005
Data (124 bytes) Frame
30 (166 bytes on wire, 166 bytes captured)
Arrival Time:
Time delta from previous packet: 0.020339000 seconds
Time relative to first packet: 7.504295000 seconds
Frame Number: 30
Packet Length: 166 bytes
Capture Length: 166 bytes Ethernet
II, Src: 00:50:54:98:ab:f5, Dst: 00:60:47:1f:82:fd
Destination: 00:60:47:1f:82:fd (Cisco_1f:82:fd)
Source: 00:50:54:98:ab:f5 (Cisco_98:ab:f5)
Type: IP (0x0800) Internet
Protocol, Src Addr: 192.168.160.2 (192.168.160.2), Dst Addr: 192.168.160.6
(192.168.160.6)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 152
Identification: 0xc8b4 (51380)
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 254
Protocol: ESP (0x32)
Header checksum: 0x3225 (correct)
Source: 192.168.160.2 (192.168.160.2)
Destination: 192.168.160.6 (192.168.160.6) Encapsulating
Security Payload
SPI: 0x37a43813
Sequence: 0x00000005
Data (124 bytes)
|