Document ID: 69385
Updated: Oct 16, 2008
Contents
Introduction
This configuration allows two Cisco Secure PIX Firewalls with PIX 7.x to run a simple VPN tunnel from the inside and the Demilitarized Zone (DMZ) interfaces of one PIX to the other PIX over the Internet or any public network that uses IPsec.
IPsec is a combination of open standards that provides data confidentiality, data integrity and data origin authentication between IPsec peers.
Prerequisites
Requirements
Ensure that you meet these requirements before you attempt this configuration:
-
Basic IPsec and VPN skills
Components Used
The information in this document is based on the Cisco Secure PIX 515E Firewall with Cisco PIX Security Appliance software version 7.2(1) with DMZ interfaces.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Background Information
IPsec negotiation can be broken down into five steps and includes two Internet Key Exchange (IKE) phases.
-
An IPsec tunnel is initiated by interesting traffic. Traffic is considered interesting when it travels between the IPsec peers.
-
In IKE Phase 1, the IPsec peers negotiate the established IKE Security Association (SA) policy. Once the peers are authenticated, a secure tunnel is created using ISAKMP.
-
In IKE Phase 2, the IPsec peers use the authenticated and secure tunnel to negotiate IPsec SA transforms. The negotiation of the shared policy determines how the IPsec tunnel is established.
-
The IPsec tunnel is created and data is transferred between the IPsec peers based on the IPsec parameters configured in the IPsec transform sets.
-
The IPsec tunnel terminates when the IPsec SAs are deleted or when their lifetime expires.
Note: IPsec negotiation between the two PIXes fails if the SAs on both of the IKE phases do not match on the peers.
Configure
In this section, you are presented with the information to configure the IPsec tunnel between both the inside interface and the DMZ interface on one PIX to the other PIX.
This configuration assumes that the basic routing configuration is already in place and that the devices are reachable end-to-end. Throughout this document, you can verify the configuration with these show commands.
-
show isakmp
-
show isakmp policy
-
show access-list
-
show crypto ipsec transform-set
-
show crypto isakmp sa
-
show crypto ipsec sa
Refer to the Cisco Secure PIX Firewall Command References for more information on these show commands.
The formation of a secure IPsec tunnel happens in IKE Phase 1 and IKE Phase 2.
Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.
Network Diagram
This document uses this network setup:
Configurations
This document uses these configurations:
IKE for Preshared Keys Configuration
Enable IKE on the IPsec terminating interfaces by using the isakmp enable command. In this scenario, the outside interface is the IPsec terminating interface on both PIXes. IKE is configured on both PIXes. Use the isakmp enable outside command on both PIXes.
Use the isakmp policy command to define the IKE policies that are used during the IKE negotiations. When you use this command, you must assign a priority level so that the policies are uniquely identified. In this case, the priority of 10 is assigned to the policy.
PIX1(config)#isakmp policy 10 authentication pre-share PIX1(config)#isakmp policy 10 encryption des PIX1(config)#isakmp policy 10 hash md5 PIX1(config)#isakmp policy 10 group 1 PIX1(config)#isakmp policy 10 lifetime 1000
This policy is also set to:
-
Use a preshared key
-
Use MD5 hashing algorithm for data authentication
-
Use DES for Encapsulating Security Payload (ESP)
-
Use Diffie-Hellman group1
-
Set the SA lifetime
Use the show isakmp policy command to verify if the policy is actually configured with all the parameters of your choice.
In order to create and manage the database of connection-specific records for IPsec tunnels, use the tunnel-group command in global configuration mode. The name of the tunnel group must be the IP address of the peer. The type should be IPsec LAN-to-LAN. Under the IPsec tunnel configuration mode, issue the pre-shared-key <Password> command as shown:
PIX1(config)#tunnel-group 172.16.2.5 type ipsec-l2l PIX1(config)#tunnel-group 172.16.2.5 ipsec-attributes PIX1(config-tunnel-ipsec)#pre-shared-key cisco
Network Address Translation (NAT) Configuration
This setup uses NAT exemption for the traffic to be tunneled. This means that the interesting traffic goes un-NATed. All other traffic uses Port Address Translation (PAT) to change the source IP address of the packet to the IP address of the outside interface.
PIX1(config)#access-list NoNAT extended permit ip 10.2.2.0 255.255.255.0 10.6.6.0 255.255.255.0 PIX1(config)#access-list NoNAT extended permit ip 10.3.3.0 255.255.255.0 10.6.6.0 255.255.255.0 PIX1(config)#access-list PAT permit ip 10.2.2.0 255.255.255.0 any PIX1(config)#access-list PAT permit ip 10.3.3.0 255.255.255.0 any PIX1(config)#nat (inside) 0 access-list NoNAT PIX1(config)#nat (inside) 1 access-list PAT PIX1(config)#nat (DMZ) 0 access-list NoNAT PIX1(config)#nat (DMZ) 1 access-list PAT PIX1(config)#global (outside) 1 interface
Similarly, on PIX2, identity NAT is configured for the traffic to be tunneled and all other traffic is sent using PAT.
PIX2(config)#access-list NoNAT extended permit ip 10.6.6.0 255.255.255.0 10.2.2.0 255.255.255.0 PIX2(config)#access-list NoNAT extended permit ip 10.6.6.0 255.255.255.0 10.3.3.0 255.255.255.0 PIX2(config)#nat (inside) 0 access-list NoNAT PIX2(config)#nat (inside) 1 10.6.6.0 255.255.255.0 PIX2(config)#global (outside) 1 interface
IPsec Configuration
IPsec is initiated when one of the PIXes receives traffic that is destined for the inside network of the other PIX. This traffic is deemed interesting traffic that needs to be protected by IPsec. An access list is used to determine which traffic initiates the IKE and IPsec negotiations. The access list named INTERESTING permits the traffic to be sent from the 10.2.2.0 and 10.3.3.0 networks on the PIX1 Firewall to the 10.6.6.0 network on the PIX2 Firewall.
PIX1(config)#access-list INTERESTING extended permit ip 10.2.2.0 255.255.255.0 10.6.6.0 255.255.255.0 PIX1(config)#access-list INTERESTING extended permit ip 10.3.3.0 255.255.255.0 10.6.6.0 255.255.255.0
The IPsec transform set defines the security policy that the peers use to protect the data flow. The IPsec transform is defined by using the crypto ipsec transform-set command. A unique name must be chosen for the transform set and up to three transforms can be selected to define the IPsec security protocols. This configuration only uses two transforms:
-
esp-md5-hmac
-
esp-des
PIX1(config)#crypto ipsec transform-set my-set esp-des esp-md5-hmac
Crypto maps set up IPsec SAs for the encrypted traffic. You must assign a map name and a sequence number, and define the crypto map parameters to create a crypto map. The crypto map "mymap" uses IKE to establish IPsec SAs, encrypts anything that matches the INTERESTING access list, has a set peer, and uses the my-set transform-set to enact its security policy for traffic.
PIX1(config)#crypto map mymap 20 match address INTERESTING PIX1(config)#crypto map mymap 20 set peer 172.16.2.5 PIX1(config)#crypto map mymap 20 set transform-set my-set
After you define the crypto map, use the crypto map mymap interface outside command to apply the crypto map to an interface. The interface you choose should be the IPsec terminating interface.
PIX1(config)#crypto map mymap interface outside
PIX1 Configuration
| PIX1 |
|---|
!--- Output is suppressed. interface Ethernet0 nameif outside security-level 0 ip address 172.16.1.2 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 10.2.2.2 255.255.255.0 ! interface Ethernet2 nameif DMZ1 security-level 50 ip address 10.3.3.2 255.255.255.0 !--- Output is suppressed. !--- This access control list (ACL) is for NAT 0. access-list NoNAT extended permit ip 10.2.2.0 255.255.255.0 10.6.6.0 255.255.255.0 access-list NoNAT extended permit ip 10.3.3.0 255.255.255.0 10.6.6.0 255.255.255.0 !--- This ACL defines the interesting traffic. access-list INTERESTING extended permit ip 10.2.2.0 255.255.255.0 10.6.6.0 255.255.255.0 access-list INTERESTING extended permit ip 10.3.3.0 255.255.255.0 10.6.6.0 255.255.255.0 !--- This ACL is for PAT. access-list PAT permit ip 10.2.2.0 255.255.255.0 any access-list PAT permit ip 10.3.3.0 255.255.255.0 any !--- Output is suppressed. !--- NAT control requires NAT for inside or DMZ hosts !--- when they access the outside. nat-control !--- This is the global statement for PAT. global (outside) 1 interface !--- This command is for the NAT 0 entry on the inside interface. nat (inside) 0 access-list NoNAT !--- This command is for the PAT entry on the inside interface. nat (inside) 1 access-list PAT !--- This command is for the NAT 0 entry on the DMZ interface. nat (DMZ) 0 access-list NoNAT !--- This command is for the PAT entry on the DMZ interface. nat (DMZ) 1 access-list PAT route outside 0.0.0.0 0.0.0.0 172.16.1.4 1 !--- Output is suppressed. !--- This command defines the IPsec transform set with the !--- security policy that the peers use to protect the data flow. crypto ipsec transform-set my-set esp-des esp-md5-hmac !--- These commands allow crypto map to set up IPsec SAs !--- for the encrypted traffic. crypto map mymap 20 match address INTERESTING crypto map mymap 20 set peer 172.16.2.5 crypto map mymap 20 set transform-set my-set !--- This command applies the crypto map to the outside interface. crypto map mymap interface outside !--- This command applies the crypto map to the outside interface. isakmp enable outside !--- These commands apply the crypto map to the outside interface. isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 !--- Output is suppressed. !--- These commands create and manage the database of connection-specific !--- records for IPsec tunnels. Issue a preshared key, which should be the same as !--- that on the peer. tunnel-group 172.16.2.5 type ipsec-l2l tunnel-group 172.16.2.5 ipsec-attributes pre-shared-key * !--- Output is suppressed. |
PIX2 Configuration
| Configuration on PIX2 |
|---|
!--- Output is suppressed. interface Ethernet0 nameif outside security-level 0 ip address 172.16.2.5 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 10.6.6.5 255.255.255.0 !--- Output is suppressed. access-list NoNAT extended permit ip 10.6.6.0 255.255.255.0 10.2.2.0 255.255.255.0 access-list NoNAT extended permit ip 10.6.6.0 255.255.255.0 10.3.3.0 255.255.255.0 access-list INTERESTING extended permit ip 10.6.6.0 255.255.255.0 10.2.2.0 255.255.255.0 access-list INTERESTING extended permit ip 10.6.6.0 255.255.255.0 10.3.3.0 255.255.255.0 !--- Output is suppressed. global (outside) 1 interface nat (inside) 0 access-list NoNAT nat (inside) 1 10.6.6.0 255.255.255.0 route outside 0.0.0.0 0.0.0.0 172.16.2.4 1 !--- Output is suppressed. crypto ipsec transform-set my-set esp-des esp-md5-hmac crypto map mymap 20 match address INTERESTING crypto map mymap 20 set peer 172.16.1.2 crypto map mymap 20 set transform-set my-set crypto map mymap interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 !--- Output is suppressed. tunnel-group 172.16.1.2 type ipsec-l2l tunnel-group 172.16.1.2 ipsec-attributes pre-shared-key * telnet timeout 5 !--- Output is suppressed. |
Verify
Use this section to confirm that your configuration works properly.
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.
-
show crypto isakmp sa—Displays current IKE SAs.
PIX1#show crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 172.16.2.5 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE -
show crypto ipsec sa—Displays the settings used by current SAs.
Once you send the traffic between networks defined as interesting traffic, the IPsec tunnel is triggered. A ping between two hosts can be used to test the formation of the tunnel.
!--- This is show crypto ipsec sa command output on PIX1.
PIX1#show crypto ipsec sa
interface: outside
Crypto map tag: mymap, seq num: 20, local addr: 172.16.1.2
access-list INTERESTING permit ip 10.2.2.0 255.255.255.0 10.6.6.0 255.255.255.0
local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.6.6.0/255.255.255.0/0/0)
current_peer: 172.16.2.5
!--- This verifies that encrypted packets are
!--- sent and recede without any errors.
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.2, remote crypto endpt.: 172.16.2.5
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 80A00578
inbound esp sas:
spi: 0xD92F129E (3643740830)
transform: esp-des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (3824980/28593)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x80A00578 (2157970808)
transform: esp-des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (3824980/28591)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: mymap, seq num: 20, local addr: 172.16.1.2
access-list INTERESTING permit ip 10.3.3.0 255.255.255.0 10.6.6.0 255.255.255.0
local ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.6.6.0/255.255.255.0/0/0)
current_peer: 172.16.2.5
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.2, remote crypto endpt.: 172.16.2.5
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 3D0C2074
inbound esp sas:
spi: 0x5B64B9D6 (1533327830)
transform: esp-des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (3824980/28658)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x3D0C2074 (1024204916)
transform: esp-des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (3824980/28658)
IV size: 8 bytes
replay detection support: Y
!--- This is show crypto ipsec sa command output on PIX2.
PIX2#show crypto ipsec sa
interface: outside
Crypto map tag: mymap, seq num: 20, local addr: 172.16.2.5
access-list INTERESTING permit ip 10.6.6.0 255.255.255.0 10.3.3.0 255.255.255.0
local ident (addr/mask/prot/port): (10.6.6.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)
current_peer: 172.16.1.2
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.2.5, remote crypto endpt.: 172.16.1.2
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 5B64B9D6
inbound esp sas:
spi: 0x3D0C2074 (1024204916)
transform: esp-des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4274980/28465)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x5B64B9D6 (1533327830)
transform: esp-des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4274980/28463)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: mymap, seq num: 20, local addr: 172.16.2.5
access-list INTERESTING permit ip 10.6.6.0 255.255.255.0 10.2.2.0 255.255.255.0
local ident (addr/mask/prot/port): (10.6.6.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
current_peer: 172.16.1.2
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.2.5, remote crypto endpt.: 172.16.1.2
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: D92F129E
inbound esp sas:
spi: 0x80A00578 (2157970808)
transform: esp-des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4274980/28393)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xD92F129E (3643740830)
transform: esp-des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4274980/28393)
IV size: 8 bytes
replay detection support: Y
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.
Note: Refer to Important Information on Debug Commands before you issue debug commands.
debug crypto isakmp—Displays debug information about IPsec connections.
| debug crypto isakmp |
|---|
pix3#debug crypto isakmp 7 Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Oakley proposal is acceptable Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing VID payload Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Received Fragmentation VID Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, constructing ke payload Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, constructing nonce payload Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, constructing Cisco Unity VID payload Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, constructing xauth V6 VID payload Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Send IOS VID Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, constructing VID payload Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Jan 01 04:34:49 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224 Jan 01 04:34:49 [IKEv1]: IP = 172.16.2.5, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224 Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing ke payload Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing ISA_KE payload Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing nonce payload Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing VID payload Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Received Cisco Unity client VID Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing VID payload Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Received xauth V6 VID Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing VID payload Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing VID payload Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Received Altiga/Cisco VPN3000/Cisco ASA GW VID Jan 01 04:34:49 [IKEv1]: IP = 172.16.2.5, Connection landed on tunnel_group 172.16.2.5 Jan 01 04:34:49 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, Generating keys for Initiator... Jan 01 04:34:49 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, constructing ID payload Jan 01 04:34:49 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, constructing hash payload Jan 01 04:34:49 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, Computing hash for ISAKMP Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Constructing IOS keep alive payload: proposal=32767/32767 sec. Jan 01 04:34:49 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, constructing dpd vid payload Jan 01 04:34:49 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92 Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92 Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, processing ID payload Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, processing hash payload Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, Computing hash for ISAKMP Jan 01 04:34:50 [IKEv1 DEBUG]: IP = 172.16.2.5, Processing IOS keep alive payload: proposal=32767/32767 sec. Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, processing VID payload Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, Received DPD VID Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, Connection landed on tunnel_group 172.16.2.5 Jan 01 04:34:50 [IKEv1]: Group = 172.16.2.5, IP = 172.16.2.5, Freeing previously allocated memory for authorization-dn-attributes Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, Oakley begin quick mode Jan 01 04:34:50 [IKEv1]: Group = 172.16.2.5, IP = 172.16.2.5, PHASE 1 COMPLETED Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, Keep-alive type for this connection: DPD Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, Starting P1 rekey timer: 850 seconds. Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, IKE got SPI from key engine: SPI = 0x1cd9ec0c Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, oakley constucting quick mode Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, constructing blank hash payload Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, constructing IPSec SA payload Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, constructing IPSec nonce payload Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, constructing proxy ID Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, Transmitting Proxy Id: Local subnet: 10.2.2.0 mask 255.255.255.0 Protocol 0 Port 0 Remote subnet: 10.6.6.0 Mask 255.255.255.0 Protocol 0 Port 0 Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, constructing qm hash payload Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message (msgid=75aa2cf6) with payloads: HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192 Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, IKE_DECODE RECEIVED Message (msgid=75aa2cf6) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164 Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, processing hash payload Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, processing SA payload Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, processing nonce payload Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, processing ID payload Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, processing ID payload Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, loading all IPSEC SAs Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, Generating Quick Mode Key! Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, Generating Quick Mode Key! Jan 01 04:34:50 [IKEv1]: Group = 172.16.2.5, IP = 172.16.2.5, Security negotiation complete for LAN-to-LAN Group (172.16.2.5) Initiator, Inbound SPI = 0x1cd9ec0c, Outbound SPI = 0x489fb7ca Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, oakley constructing final quickmode Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message (msgid=75aa2cf6) with payloads: HDR + HASH (8) + NONE (0) total length : 72 Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, IKE got a KEY_ADD msg for SA: SPI = 0x489fb7ca Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, Pitcher: received KEY_UPDATE, spi 0x1cd9ec0c Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, Starting P2 rekey timer: 24480 seconds. Jan 01 04:34:50 [IKEv1]: Group = 172.16.2.5, IP = 172.16.2.5, PHASE 2 COMPLETED (msgid=75aa2cf6) Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, Sending keep-alive of type DPD R-U-THERE (seq number 0x52fec0b7) Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, constructing blank hash payload Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, constructing qm hash payload Jan 01 04:35:05 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message (msgid=e3dd9a55) with payloads: HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80 Jan 01 04:35:05 [IKEv1]: IP = 172.16.2.5, IKE_DECODE RECEIVED Message (msgid=1f40840c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80 Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, processing hash payload Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, processing notify payload Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x52fec0b7) Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, Sending keep-alive of type DPD R-U-THERE (seq number 0x52fec0b8) Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, constructing blank hash payload Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, constructing qm hash payload Jan 01 04:35:15 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message (msgid=928bbc7f) with payloads: HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80 Jan 01 04:35:15 [IKEv1]: IP = 172.16.2.5, IKE_DECODE RECEIVED Message (msgid=b4745eeb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80 Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, processing hash payload Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, processing notify payload Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x52fec0b8) |
debug crypto ipsec—Displays debug information about IPsec connections.
| debug crypto ipsec |
|---|
pix1#debug crypto ipsec 7
IPSEC: New embryonic SA created @ 0x01AEAB40,
SCB: 0x028CF0C8,
Direction: inbound
SPI : 0xEFFE8E91
Session ID: 0x00000009
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0x028F27E0,
SCB: 0x02842188,
Direction: outbound
SPI : 0xEB62E7B0
Session ID: 0x00000009
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xEB62E7B0
IPSEC: Updating outbound VPN context 0x00076B84, SPI 0xEB62E7B0
Flags: 0x00000005
SA : 0x028F27E0
SPI : 0xEB62E7B0
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x02842188
Channel: 0x01693DE8
IPSEC: Completed outbound VPN context, SPI 0xEB62E7B0
VPN handle: 0x00076B84
IPSEC: Completed outbound inner rule, SPI 0xEB62E7B0
Rule ID: 0x026AAAF0
IPSEC: New outbound permit rule, SPI 0xEB62E7B0
!--- Tunnel endpoints
Src addr: 172.16.1.2
Src mask: 255.255.255.255
Dst addr: 172.16.2.5
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xEB62E7B0
Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0xEB62E7B0
Rule ID: 0x028A45F8
IPSEC: Completed host IBSA update, SPI 0xEFFE8E91
IPSEC: Creating inbound VPN context, SPI 0xEFFE8E91
Flags: 0x00000006
SA : 0x01AEAB40
SPI : 0xEFFE8E91
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x00076B84
SCB : 0x028CF0C8
Channel: 0x01693DE8
IPSEC: Completed inbound VPN context, SPI 0xEFFE8E91
VPN handle: 0x0007801C
IPSEC: Updating outbound VPN context 0x00076B84, SPI 0xEB62E7B0
Flags: 0x00000005
SA : 0x028F27E0
SPI : 0xEB62E7B0
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x0007801C
SCB : 0x02842188
Channel: 0x01693DE8
IPSEC: Completed outbound VPN context, SPI 0xEB62E7B0
VPN handle: 0x00076B84
IPSEC: Completed outbound inner rule, SPI 0xEB62E7B0
Rule ID: 0x026AAAF0
IPSEC: Completed outbound outer SPD rule, SPI 0xEB62E7B0
Rule ID: 0x028A45F8
IPSEC: New inbound tunnel flow rule, SPI 0xEFFE8E91
!--- IPsec session by inside interface
Src addr: 10.6.6.0
Src mask: 255.255.255.0
Dst addr: 10.2.2.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0xEFFE8E91
Rule ID: 0x01A88838
IPSEC: New inbound decrypt rule, SPI 0xEFFE8E91
Src addr: 172.16.2.5
Src mask: 255.255.255.255
Dst addr: 172.16.1.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xEFFE8E91
Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0xEFFE8E91
Rule ID: 0x028F2710
IPSEC: New inbound permit rule, SPI 0xEFFE8E91
Src addr: 172.16.2.5
Src mask: 255.255.255.255
Dst addr: 172.16.1.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xEFFE8E91
Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0xEFFE8E91
Rule ID: 0x028F3F70
IPSEC: New embryonic SA created @ 0x01AFA2E8,
SCB: 0x028F4318,
Direction: inbound
SPI : 0x9E53EEA4
Session ID: 0x00000009
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0x0281FEA8,
SCB: 0x01AFA6C0,
Direction: outbound
SPI : 0x430107DD
Session ID: 0x00000009
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x430107DD
IPSEC: Updating outbound VPN context 0x0007DB1C, SPI 0x430107DD
Flags: 0x00000005
SA : 0x0281FEA8
SPI : 0x430107DD
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x01AFA6C0
Channel: 0x01693DE8
IPSEC: Completed outbound VPN context, SPI 0x430107DD
VPN handle: 0x0007DB1C
IPSEC: Completed outbound inner rule, SPI 0x430107DD
Rule ID: 0x028FA880
IPSEC: New outbound permit rule, SPI 0x430107DD
Src addr: 172.16.1.2
Src mask: 255.255.255.255
Dst addr: 172.16.2.5
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x430107DD
Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x430107DD
Rule ID: 0x028055B0
IPSEC: Completed host IBSA update, SPI 0x9E53EEA4
IPSEC: Creating inbound VPN context, SPI 0x9E53EEA4
Flags: 0x00000006
SA : 0x01AFA2E8
SPI : 0x9E53EEA4
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x0007DB1C
SCB : 0x028F4318
Channel: 0x01693DE8
IPSEC: Completed inbound VPN context, SPI 0x9E53EEA4
VPN handle: 0x000813D4
IPSEC: Updating outbound VPN context 0x0007DB1C, SPI 0x430107DD
Flags: 0x00000005
SA : 0x0281FEA8
SPI : 0x430107DD
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x000813D4
SCB : 0x01AFA6C0
Channel: 0x01693DE8
IPSEC: Completed outbound VPN context, SPI 0x430107DD
VPN handle: 0x0007DB1C
IPSEC: Completed outbound inner rule, SPI 0x430107DD
Rule ID: 0x028FA880
IPSEC: Completed outbound outer SPD rule, SPI 0x430107DD
Rule ID: 0x028055B0
IPSEC: New inbound tunnel flow rule, SPI 0x9E53EEA4
!--- IPsec session by DMZ interface
Src addr: 10.6.6.0
Src mask: 255.255.255.0
Dst addr: 10.3.3.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x9E53EEA4
Rule ID: 0x02850040
IPSEC: New inbound decrypt rule, SPI 0x9E53EEA4
Src addr: 172.16.2.5
Src mask: 255.255.255.255
Dst addr: 172.16.1.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x9E53EEA4
Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x9E53EEA4
Rule ID: 0x0284ACF8
IPSEC: New inbound permit rule, SPI 0x9E53EEA4
Src addr: 172.16.2.5
Src mask: 255.255.255.255
Dst addr: 172.16.1.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x9E53EEA4
Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x9E53EEA4
Rule ID: 0x0281FDA8
|
Clear Security Associations (SAs)
clear crypto ipsec sa peer 10.6.6.6—Deletes all IPsec SAs to a peer as identified by the specified hostname or IP address.
clear isakmp sa—Removes all of the IKE runtime SA databases.
Related Information
- Configuring a Simple PIX-to-PIX VPN Tunnel Using IPSec
- Cisco PIX 500 Series Security Appliances
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco Secure PIX Firewall Command References
-
Requests for
Comments (RFCs)
- IPsec Negotiation/IKE Protocols
- Technical Support & Documentation - Cisco Systems
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.