Dynamic crypto maps enable IPSec to barter ISAKMP and IPSec Security Associations (SA) which can be initiated from far flung endpoints, the choices addresses of which can be unknown. Dynamic crypto maps by using themselves do not enable a virtual non-public network (VPN) endpoint to proactively discover far off and unknown IPSec peers and does now not permit a VPN endpoint to provoke ISAKMP and IPSec SA negotiation to undiscovered friends. Indeed, visitors that is within the crypto-blanketed path of a dynamic crypto map with out TED will be dropped until the choices far off peer has already initiated and negotiated an IPSec tunnel with the choices IPSec endpoint the use of that dynamic crypto map. In order to provoke ISAKMP and IPSec SA negotiation with unknown far off friends, dynamic crypto maps ought to be used at the side of TED, that is mentioned later in this bankruptcy.
With static crypto maps, an IPSec peer is certain statically. This isn’t the case with dynamic crypto maps. Instead, due to the fact the peer is unknown, dynamic crypto maps will reply to ISAKMP and IPSec SA negotiation tries from an array of previously unknown friends. Because of this, dynamic crypto maps have awesome differences from static crypto maps that alternate various principles surrounding IPSec and ISAKMP design, deployment, and administration. Here are some key additives of static IPSec peering designs that may be dynamically observed and configured via changing the design to apply dynamic crypto maps:
Dynamic attractiveness and configuration of the choices far flung (beginning) peer’s IP cope with inside the negotiated IPSec SA
Dynamic acceptance and configuration of the choices crypto-protected address area in the IPSec SA
Note In remote get admission to VPN deployments, dynamic crypto maps are typically used to facilitate extra dynamic functionality, along with the choices dynamic venture of VPN purchaser IP addresses, DNS/WINS servers, and IP domain names using IKE Mode Config. These scenarios are discussed in more element in Chapter 9, “Solutions for Remote Access VPN High Availability.”
In far flung get right of entry to VPN deployments, dynamic crypto maps are generally used to facilitate extra dynamic capability, such as the dynamic assignment of VPN patron IP addresses, DNS/WINS servers, and IP domains using IKE Mode Config. These situations are discussed in greater element in Chapter 9, “Solutions for Remote Access VPN High Availability.”
With static crypto maps, all of the above objects should be manually configured at each the nearby and faraway friends. In a dynamic crypto map solution, only the choices remote endpoint must be statically configuredthe nearby endpoint can use its dynamic crypto map to retroactively discover the choices faraway peer’s IP cope with. Indeed, it’s far this dynamic nature that distinguishes dynamic crypto maps from static ones. We will explore configurations that permit dynamic functionality later inside the chapter, however first we will explore the impact that dynamic crypto maps have on the choices operation of ISAKMP and IPSec.
Incorporating dynamic crypto maps into an IPSec VPN design can dramatically alternate the conduct of the choices VPN. It is consequently critical that community administrators understand the choices way that dynamic crypto maps alter the conduct of the VPN. In the subsequent sections, we can discuss the choices impact of dynamic crypto map design on ISAKMP SA negotiation and what routing concerns ought to be addressed in an IPSec VPN deployment using dynamic crypto maps. Then we are able to speak security concerns of dynamic crypto maps while in comparison in opposition to static ones, in addition to some measures to keep in mind while securing VPN implementations the usage of dynamic crypto maps.
Dynamic crypto maps will dynamically allocate a remote peer to the choices local IPSec configuration based totally on facts furnished by using the far flung peer itself. Indeed, ISAKMP negotiation can not start till a far flung peer is described. Therefore, as soon as a router that uses dynamic crypto maps gets a request to provoke ISAKMP SA negotiation the usage of an identical, locally configured ISAKMP policy, it creates and installs a brief crypto map entry populated with the choices beginning endpoint’s peer so that it is able to then keep on with Phase 1 negotiation. This order of operations is illustrated later in Figure 12-1.
Figure 12-1. Reverse Route Injection and Dynamic Crypto Maps
A VPN endpoint that makes use of dynamic crypto maps need to be configured with an ISAKMP coverage that fits one proposed through the far flung VPN endpoint. This behavior is constant with static crypto maps with one exceptiondynamic crypto maps generally use wildcard preshared keys. The use of wildcard preshared keys allows community administrators to outline a key for use with quite a number IP addresses, in preference to simply one. This is especially useful in a dynamic crypto map state of affairs in which there are alternatives a various range of friends whose addresses are unknown. Wildcard preshared keys put off the choices want to recognise the peer’s specific address for the duration of IKE authentication, requirng handiest that it fall within a selected range. Example 12-1 illustrates a pattern IKE configuration the use of a wildcard preshared key.
Note The use of wildcard preshared keys leads to difficulties whilst attempting to evict an endpoint from the IPSec VPN. When the administrative overhead of static preshared keys is a situation, it’s far advocated that RSA signatures be used in preference to wildcard preshared keys.
The use of wildcard preshared keys ends in problems when attempting to evict an endpoint from the choices IPSec VPN. When the administrative overhead of static preshared keys is a problem, it is advocated that RSA signatures be used in place of wildcard preshared keys.
!# crypto isakmp key extranet cope with 192.168.zero.zero 255.255.zero.0
!# crypto isakmp key extranet address 192.168.0.0 255.255.0.zero
Note For expanded protection the usage of dynamic crypto maps, IKE Extended Authentication (x-auth) may be used in place of pre-shared keys. IKE x-auth leverages a robust set of authentication and authorization commands in conjunction with centrally maintained TACACS+/RADIUS databases for increased safety and scalability.
For elevated security the usage of dynamic crypto maps, IKE Extended Authentication (x-auth) may be used in place of pre-shared keys. IKE x-auth leverages a strong set of authentication and authorization instructions in conjunction with centrally maintained TACACS+/RADIUS databases for expanded safety and scalability.
Designs leveraging the capability of dynamic crypto maps introduce a few extra design concerns that network designers ought to deal with within their routed infrastructures. The following list provides a short advent and explanation of considerations for IPSec VPNs with dynamic crypto maps:
IGP Multicast Routing Updates Dynamic crypto maps allow broader definition of included traffic units, considering more than one unknown friends can now dynamically negotiate exclusive covered traffic sets with the choices identical dynamic crypto map. However, warning have to be exercised towards the usage of the any key-word inside the dynamic crypto map’s ACL while defining extensive scopes of protection, so that multicast routing protocol updates aren’t encrypted or dropped unnecessarily. As we have noted previously, traffic inside the crypto direction the use of a dynamic crypto map will now not provoke IPSec tunnel negotiation; it’ll as a substitute be dropped. Therefore, defining multicast and broadcast site visitors within the crypto route the use of dynamic crypto maps can typically result in the choices discarding of routing updates and loss of RP adjacencies. When the use of any keyword on the choices dynamic crypto map ACL, site visitors inclusive of multicast RP updates must be explicitly denied first.
Reverse Route Injection (RRI) RRI is a feature as a way to dynamically inject routes into the choices IPSec VPN gateway’s routing desk. Effective implementation of RRI allows network directors to preserve the choices routing table length manageable. With RRI, routes are injected dynamically into the choices routing desk, which can finally be redistributed into the enterprise’s IGP for propagation at some point of the choices network. This allows the VPN concentrator or router to inject routes for only those far off networks which have active IPSec VPN connections. This technique can be used to correctly scale the choices Interior Gateway Protocol (IGP) of an IPSec VPN implementation whilst used along with dynamic crypto maps.
Figure 12-1 illustrates an IPSec VPN deployment in which dynamic crypto maps are used along side RRI.
The following is the operation of the choices IPSec-enabled infrastructure numbered in Figure 12-1:
The far flung network attempts to contact a resource on the employer community.
The far off VPN endpoint sees the choices traffic in Step 1, effectively matches it towards a crypto ACL, and initiates ISAKMP SA negotiation.
The VPN aggregation factor gets the request and finds a regionally configured ISAKMP coverage to healthy the ISAKMP idea that it received in Step 2. The VPN aggregator creates a transient crypto map access populated with the choices far flung peer deal with so that ISAKMP negotiation can hold.
The VPN aggregator on the choices agency community makes use of a brief crypto map installed in Step 3 to negotiate Phase 1 and a couple of with the choices remote VPN endpoint.
The VPN aggregator makes use of RRI to dynamically inject the choices 199.1.1.zero/24 network into the choices organization network. This allows employer assets to direction site visitors over the VPN to the appropriate vacation spot on the far flung give up of the IPSec VPN tunnel. When the choices ISAKMP and IPSec SAs for the choices remote network day trip, the routes injected the use of RRI are allowed to day out.
As the choices variety of far flung peers associated with a dynamic crypto map scales upward, so too escalates the security concerns surrounding the use of wildcard preshared keys. Next, we will speak two of these concerns, both without delay associated with key management for dynamically addressed friends, and the way to use x-auth in the course of ISAKMP authentication to harden protection for dynamically addressed VPN peers.
Multiple wildcard preshared keys may be defined, however the manual configuration involved makes it very difficult for every peer to apply its very own precise key for IKE authentication, because the number of far off and unknown friends scale upward. Therefore, the usage of wildcard preshared keys for a big wide variety of unknown peers gives a safety hazard, due to the fact lots of those unknown peers typically use a commonplace key. Using IKE x-auth along side a TACACS+ or RADIUS database inclusive of Cisco Secure Access Control Server (ACS) provides a extraordinarily scalable, extraordinarily available answer for IPSec friends to authenticate with their personal specific credentials.
The addition of a peer to the institution the usage of a commonplace wildcard preshared key for IKE authentication is a simple processa unmarried configuration of that key on the faraway peer. However, eliminating a peer from that group is greater worried and provides security risks. Once a peer is evicted from a group the usage of a common preshared key, that key has turn out to be compromised, and must therefore be modified and updated on each last peer in the group. For this reason, it’s miles obvious that wildcard preshared keys do now not offer the administrative flexibility wished for secure IKE negotiation with dynamically addressed peers. Instead, IKE x-auth need to be used in order that a peer within the organization may be eliminated with out compromising the credentials that the ultimate, dynamically addressed friends use for IKE authentication.
IKE x-auth offloads Phase 1 authentication and authorization of faraway friends to both a locally configured database on the aggregating router or to a centrally maintained database the usage of TACACS+ or RADIUS. Figure 12-2 describes the choices authentication manner used all through IKE x-auth.
Figure 12-2. ISAKMP Phase 1 Negotiation Using Extended Authentication (x-auth)
The following is an outline of the numbered procedure in Figure 12-2:
The far flung peer sends an ISAKMP suggestion.
The local peer assessments the ISAKMP concept towards its domestically configured guidelines and finds a suit; an IKE SA is established with that inspiration the use of preshared keys.
The local peer sends a TACACS+ get entry to-request message to the choices AAA server.
The AAA server responds with both an get admission to-take delivery of or access-reject message, depending on whether or not the choices peer is successfully authenticated or no longer. In this example, the choices peer is authenticated by the AAA server and a TACACS+ get entry to-be given message is forwarded again to the choices nearby peer.
The local peer installs a transient crypto map using the choices IP address peer that sent the choices ISAKMP concept in Step 1.
The friends hold to barter IPSec SAs.
In the choices configuration in Example 12-2, the faraway 3745 acts as an EZVPN customer, connecting dynamically to the 7304, which in this case acts as the choices VPN concentrator. The concentrator receives the VPN group credentials and password, and uses the choices institution password as the choices IKE preshared key. IKE x-auth is configured for extra protection and versatility in institution and peer administration. Using x-auth, the choices concentrator prompts the choices client for an extra authentication check towards its domestically configured database. The purchaser authenticates the usage of its locally configured username and password beneath the correct organization settings.
Note IKE x-auth occurs after an IKE SA has been created however earlier than an IPSec SA can be created. IKE x-auth therefore does not replace IKE itself, but alternatively occurs in addition to it. As such, IKE x-auth negotiation is commonly called Phase 1.five negotiation.
IKE x-auth takes place after an IKE SA has been created however before an IPSec SA can be created. IKE x-auth consequently does not update IKE itself, but alternatively takes place further to it. As such, IKE x-auth negotiation is normally known as Phase 1.five negotiation.
AS1-7304A# ! !# ! username as111 privilege 15 password 0 cisco111 ! !# ! aaa authentication login vpn-auth local aaa authorization community vpn-auth nearby ! !# crypto isakmp consumer configuration institution extranet key cisco acl 111 shop-password ! crypto dynamic-map extranet-dyn 10 set rework-set extranet-trans reverse-route ! !# crypto map extranet consumer authentication list vpn-auth crypto map extranet isakmp authorization list vpn !# crypto map extranet 10 ipsec-isakmp dynamic extranet-dyn ! Interfaces Serial0/0 crypto map extranet AS111-3745A# ! !# crypto ipsec client ezvpn as111-purchaser join automobile !# group extranet key cisco mode purchaser peer 2 hundred.1.1.1 !# username as111 password cisco111 ! !# interface Loopback192 crypto ipsec consumer ezvpn as111-purchaser inside ! interface Serial0/0 crypto ipsec customer ezvpn as111-purchaser
AS1-7304A# ! !# ! username as111 privilege 15 password zero cisco111 ! !# ! aaa authentication login vpn-auth local aaa authorization community vpn-auth nearby ! !# crypto isakmp patron configuration institution extranet key cisco acl 111 store-password ! crypto dynamic-map extranet-dyn 10 set transform-set extranet-trans opposite-direction ! !# crypto map extranet customer authentication list vpn-auth crypto map extranet isakmp authorization list vpn !# crypto map extranet 10 ipsec-isakmp dynamic extranet-dyn ! Interfaces Serial0/0 crypto map extranet AS111-3745A# ! !# crypto ipsec client ezvpn as111-purchaser connect vehicle !# group extranet key cisco mode patron peer 188.8.131.52 !# username as111 password cisco111 ! !# interface Loopback192 crypto ipsec customer ezvpn as111-customer inside ! interface Serial0/zero crypto ipsec consumer ezvpn as111-client
By default, dynamic crypto maps permit peering classes from any peer that IKE can authenticate. Likewise, via default, all visitors is permitted to and from all friends associating with that dynamic crypto map. Both of those areas may be secured via restricting peering sessions and the usage of dynamic crypto map ACLs to restriction traffic.
Example 12-three describes a state of affairs in which a dynamic crypto map allows HTTP visitors most effective from friends 192.168.1.15, but allows both http and SMTP traffic from friends 192.168.1.610.
AS1-7304A# ! crypto dynamic-map extranet-dyn 10 set peer 192.168.1.1 set peer 192.168.1.2 set peer 192.168.1.three set peer 192.168.1.4 set peer 192.168.1.5 set ip get admission to-organization 113 in set transform-set extranet-trans fit address 111 opposite-path crypto dynamic-map extranet-dyn 20 set peer 192.168.1.6 set peer 192.168.1.7 set peer 192.168.1.eight set peer 192.168.1.9 set peer 192.168.1.10 set ip get right of entry to-group 114 in set transform-set extranet-trans healthy cope with 111 opposite-route ! get admission to-listing 113 allow tcp 192.168.111.0 zero.zero.zero.255 192.168.1.0 0.zero.zero.255 eq www get right of entry to-listing 113 allow tcp 192.168.111.0 0.0.0.255 192.168.1.0 0.zero.0.255 eq smtp access-list 114 permit tcp 192.168.111.0 0.0.zero.255 192.168.1.0 zero.zero.zero.255 eq www access-listing 114 allow tcp 192.168.111.0 zero.zero.0.255 192.168.1.zero 0.0.zero.255 eq smtp
AS1-7304A# ! crypto dynamic-map extranet-dyn 10 set peer 192.168.1.1 set peer 192.168.1.2 set peer 192.168.1.3 set peer 192.168.1.four set peer 192.168.1.five set ip get entry to-group 113 in set transform-set extranet-trans match address 111 opposite-direction crypto dynamic-map extranet-dyn 20 set peer 192.168.1.6 set peer 192.168.1.7 set peer 192.168.1.eight set peer 192.168.1.9 set peer 192.168.1.10 set ip get entry to-organization 114 in set remodel-set extranet-trans in shape address 111 opposite-route ! get admission to-listing 113 permit tcp 192.168.111.zero zero.0.zero.255 192.168.1.0 zero.0.zero.255 eq www get entry to-list 113 permit tcp 192.168.111.0 zero.zero.0.255 192.168.1.zero 0.0.0.255 eq smtp get right of entry to-list 114 permit tcp 192.168.111.zero zero.0.0.255 192.168.1.0 0.zero.zero.255 eq www get right of entry to-list 114 permit tcp 192.168.111.zero 0.0.zero.255 192.168.1.zero 0.zero.zero.255 eq smtp
The layout topology illustrated in Figure 12-three outlines a site-to-website online extranet deployment wherein an business enterprise maintains secure connectivity to its extranet companions, that are numerous. The corporation is predicated on facts feeds from extranet companions for offerings crucial to the choices operation of the choices commercial enterprise however does no longer hold control over the choices configuration of far off routers on the choices extranet accomplice’s premises. Instead, those configurations are maintained by way of the companion, and they’re issue to trade through the years. As such, the agency has chosen to install dynamic crypto maps at its neighborhood aggregation factor for extranet IPSec VPNs, permitting the choices extranet companions to exchange their configuration on the choices fly and dynamically replace the choices IPSec SA peer configuration facts on the choices aggregation router with minimal administrative overhead.
Figure 12-three. Extranet Deployment and Dynamic Crypto Maps
Note the dimensions of the choices extranet in Figure 12-three. The simple hub-and-spoke extranet design listed in this determine provides a honest amount of administrative overhead at the choices hub, particularly whilst the choices associate websites manage the coverage on their VPN endpoint and are vulnerable to make modifications to their session on the fly. Deploying dynamic crypto maps (and TED, if necessary) can dramatically ease the choices hub administrator’s burden of accommodating the various anticipated adjustments made at the choices numerous extranet partner websites.
To spotlight the choices configuration of a dynamic crypto map, we will choose a hard and fast (extranet partner) stop of the choices tunnel and the choices dynamic quit of the tunnel, and discover the choices connectivity between those peers, as the choices extra extranet design is simply an extension of that dynamically mounted factor-to-factor IPSec VPN.
Note For extranet designs together with this one, there usually will exist a sure amount of High Availability (HA) designed into the aggregation points. Our conversation in this bankruptcy will consciousness totally on dynamically addressed peering, and, because of this, HA principles are not incorporated into those configurations.
For extranet designs consisting of this one, there usually will exist a positive amount of High Availability (HA) designed into the aggregation factors. Our communique in this chapter will cognizance solely on dynamically addressed peering, and, because of this, HA standards aren’t incorporated into these configurations.
Example 12-4 affords a sample configuration for a hub router (AS1-7304A) assisting the extranet layout mentioned in Figure 12-3.
!# crypto isakmp coverage 10 encr 3des hash md5 authentication pre-proportion group 2 !# crypto isakmp key extranet address 192.168.zero.zero 255.255.zero.0 ! crypto ipsec transform-set extranet-trans esp-3des esp-md5-hmac ! !# crypto dynamic-map extranet-dyn 10 set remodel-set extranet-trans suit deal with 111 !# opposite-route ! ! !# crypto map extranet nearby-address Loopback1 crypto map extranet 10 ipsec-isakmp dynamic extranet-dyn ! ! ! ! interface Loopback1 ip address 184.108.40.206 255.255.255.255 ! interface Loopback192 ip cope with 192.168.1.1 255.255.255.0 ! interface Serial0/0 ip address 2 hundred.1.1.1 255.255.255.252 encapsulation frame-relay body-relay interface-dlci 102 body-relay lmi-type ansi !# crypto map extranet ! !# get right of entry to-listing 111 allow ip 192.168.1.zero 0.0.zero.255 any
!# crypto isakmp policy 10 encr 3des hash md5 authentication pre-proportion organization 2 !# crypto isakmp key extranet address 192.168.zero.zero 255.255.zero.0 ! crypto ipsec remodel-set extranet-trans esp-3des esp-md5-hmac ! !# crypto dynamic-map extranet-dyn 10 set rework-set extranet-trans match deal with 111 !# reverse-direction ! ! !# crypto map extranet local-address Loopback1 crypto map extranet 10 ipsec-isakmp dynamic extranet-dyn ! ! ! ! interface Loopback1 ip deal with 220.127.116.11 255.255.255.255 ! interface Loopback192 ip cope with 192.168.1.1 255.255.255.0 ! interface Serial0/zero ip cope with 2 hundred.1.1.1 255.255.255.252 encapsulation frame-relay body-relay interface-dlci 102 body-relay lmi-type ansi !# crypto map extranet ! !# get entry to-listing 111 allow ip 192.168.1.0 zero.zero.zero.255 any
Example 12-5 presents a sample department router (AS113-3745A) configuration used to establish an IPSec VPN tunnel to the choices corresponding hub router (AS1-7304A). The extranet topology for this configuration is illustrated in Figure 12-3, and hub configuration is supplied in Example 12-five.
!# crypto isakmp policy 10 encr 3des hash md5 authentication pre-share institution 2 crypto isakmp key extranet cope with 18.104.22.168 ! ! crypto ipsec transform-set extranet-trans esp-3des esp-md5-hmac ! ! crypto map extranet neighborhood-address Loopback192 crypto map extranet 10 ipsec-isakmp set peer 22.214.171.124 set remodel-set extranet-trans match cope with 111 ! ! ! ! interface Loopback111 ip address 126.96.36.199 255.255.255.0 ! interface Loopback192 ip address 192.168.111.1 255.255.255.0 ! interface Serial0/zero ip address two hundred.1.1.2 255.255.255.252 encapsulation frame-relay no fair-queue clockrate 128000 frame-relay interface-dlci 201 crypto map extranet ! get admission to-list 111 permit ip any 192.168.1.0 0.0.0.255
!# crypto isakmp policy 10 encr 3des hash md5 authentication pre-proportion organization 2 crypto isakmp key extranet deal with 188.8.131.52 ! ! crypto ipsec transform-set extranet-trans esp-3des esp-md5-hmac ! ! crypto map extranet neighborhood-deal with Loopback192 crypto map extranet 10 ipsec-isakmp set peer 184.108.40.206 set remodel-set extranet-trans in shape deal with 111 ! ! ! ! interface Loopback111 ip deal with 220.127.116.11 255.255.255.0 ! interface Loopback192 ip address 192.168.111.1 255.255.255.0 ! interface Serial0/zero ip deal with 2 hundred.1.1.2 255.255.255.252 encapsulation body-relay no truthful-queue clockrate 128000 body-relay interface-dlci 201 crypto map extranet ! get right of entry to-list 111 permit ip any 192.168.1.0 0.zero.zero.255
Example 12-6 illustrates a few fundamental techniques that directors can use to confirm the operation of a dynamic crypto map configuration such as the one on AS1-7304A.
Example 12-6 illustrates the dynamic IPSec SA the use of the dynamic crypto map referenced in Example 12-four. The covered VRF (proxy) referred to within the IPSec SA is steady with the get admission to listing referenced within the dynamic crypto map of Example 12-4. The far off peer, 192.168.111.1, changed into found out dynamically. The IPSec SA is constructed from the IPSec headend loopback interface to the dynamically learned remote peer, 192.168.111.1. It is vital to notice that sourcing Phase 1 and 2 SAs from the choices router’s loopback conduct represents a departure from the default behavior, which is to source the choices IPSec tunnel from the choices physical interface to which the crypto map is sure. The encryption/decryption information for this SA display that five Internet Control Message Protocol (ICMP) messages were sent across the choices IPSec tunnelfour have been encrypted and their responses were decrypted while the first become dropped for the duration of the negotiation of Phase 1 and 2 SAs.
AS1-7304A#display crypto ipsec sa interface: Serial0/0 Crypto map tag: extranet, nearby addr. 18.104.22.168 included vrf: nearby ident (addr/masks/prot/port): (192.168.1.zero/255.255.255.0/0/zero) faraway ident (addr/mask/prot/port): (zero.0.zero.zero/zero.zero.zero.zero/zero/zero) current_peer: 192.168.111.1:500 PERMIT, flags= #pkts encaps: four, #pkts encrypt: 4, #pkts digest: four #pkts decaps: four, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: zero, #pkts decompressed: zero #pkts not compressed: 0, #pkts compr. failed: 0 #pkts no longer decompressed: 0, #pkts decompress failed: zero #ship errors zero, #recv mistakes zero nearby crypto endpt.: 22.214.171.124, faraway crypto endpt.: 192.168.111.1 course mtu 1500, media mtu 1500 modern outbound spi: ACD63558 inbound esp sas: spi: 0x1EDD5D8D(517823885) rework: esp-3des esp-md5-hmac , in use settings = slot: zero, conn id: 2000, flow_id: 5, crypto map: extranet crypto engine type: Software, engine_id: 1 sa timing: ultimate key lifetime (ok/sec): (4474400/1132) ike_cookies: 0636F569 27CE6A48 BC7118C8 F037E068 IV size: 8 bytes replay detection help: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xACD63558(2899719512) remodel: esp-3des esp-md5-hmac , in use settings = slot: 0, conn identity: 2001, flow_id: 6, crypto map: extranet crypto engine kind: Software, engine_id: 1 sa timing: ultimate key lifetime (okay/sec): (4474401/1130) ike_cookies: 0636F569 27CE6A48 BC7118C8 F037E068 IV length: 8 bytes replay detection help: Y outbound ah sas: outbound pcp sas:
AS1-7304A#display crypto ipsec sa interface: Serial0/0 Crypto map tag: extranet, neighborhood addr. 126.96.36.199 included vrf: neighborhood ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/zero/0) remote ident (addr/masks/prot/port): (0.zero.0.0/0.zero.zero.zero/0/zero) current_peer: 192.168.111.1:500 PERMIT, flags= #pkts encaps: four, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: four, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts now not compressed: zero, #pkts compr. failed: 0 #pkts now not decompressed: 0, #pkts decompress failed: 0 #send mistakes zero, #recv mistakes 0 neighborhood crypto endpt.: 188.8.131.52, far flung crypto endpt.: 192.168.111.1 direction mtu 1500, media mtu 1500 modern outbound spi: ACD63558 inbound esp sas: spi: 0x1EDD5D8D(517823885) transform: esp-3des esp-md5-hmac , in use settings = slot: 0, conn identification: 2000, flow_id: five, crypto map: extranet crypto engine kind: Software, engine_id: 1 sa timing: final key lifetime (k/sec): (4474400/1132) ike_cookies: 0636F569 27CE6A48 BC7118C8 F037E068 IV length: eight bytes replay detection guide: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xACD63558(2899719512) transform: esp-3des esp-md5-hmac , in use settings = slot: 0, conn identity: 2001, flow_id: 6, crypto map: extranet crypto engine type: Software, engine_id: 1 sa timing: final key lifetime (ok/sec): (4474401/1130) ike_cookies: 0636F569 27CE6A48 BC7118C8 F037E068 IV length: eight bytes replay detection help: Y outbound ah sas: outbound pcp sas:
The output in Example 12-7 verifies the operation of the choices crypto engine as traffic is exceeded alongside the VPN path. Note that 4 packets had been decrypted/obtained from the far flung host to initiate tunnel negotiation and that 4 responses to the packets were encrypted on the choices go back route. This is consistent with the traffic statistics within the IPSec SA diagnostic output in Example 12-6.
AS1-7304A#show crypto engine connections active ID Interface IP-Address State Algorithm Encrypt Decrypt three Serial0/zero 184.108.40.206 set HMAC_MD5+3DES_56_C zero 0 2000 Serial0/zero 2 hundred.1.1.1 set HMAC_MD5+3DES_56_C zero 4 2001 Serial0/zero 2 hundred.1.1.1 set HMAC_MD5+3DES_56_C four zero
AS1-7304A#display crypto engine connections energetic ID Interface IP-Address State Algorithm Encrypt Decrypt three Serial0/0 2 hundred.1.1.1 set HMAC_MD5+3DES_56_C zero zero 2000 Serial0/0 two hundred.1.1.1 set HMAC_MD5+3DES_56_C 0 4 2001 Serial0/zero 220.127.116.11 set HMAC_MD5+3DES_56_C 4 0