• Like
  • Save
Troubleshooting DMVPNs (2012 San Diego)
 

Troubleshooting DMVPNs (2012 San Diego)

on

  • 1,547 views

This session presents a methodical technique for troubleshooting Dynamic Multipoint VPN (DMVPN) networks. The session starts with a short overview of DMVPN functionality and then concentrates on a ...

This session presents a methodical technique for troubleshooting Dynamic Multipoint VPN (DMVPN) networks. The session starts with a short overview of DMVPN functionality and then concentrates on a four-layer troubleshooting methodology. These four layers are IP infrastructure layer (peer connectivity), IPsec encryption layer (IPsec/ISAKMP), GRE/NHRP layer (NHRP), and the VPN layer (IP routing protocols). Explicit troubleshooting examples with solutions are shown that are based on the most common DMVPN design and implementation issues as seen by Cisco Technical Assistance Center (TAC) engineers. This session is for designers, managers, and troubleshooters of extended corporate DMVPNs and for service providers deploying these services.

Cisco Luve 365: https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=4384

Statistics

Views

Total Views
1,547
Views on SlideShare
1,547
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Troubleshooting DMVPNs (2012 San Diego) Troubleshooting DMVPNs (2012 San Diego) Presentation Transcript

    • Troubleshooting Dynamic Multipoint VPN(DMVPN) BRKSEC-3052 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
    • Housekeeping We value your feedback- dont forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday Visit the World of Solutions and Meet the Engineer Visit the Cisco Store to purchase your recommended readings Please switch off your mobile phones After the event don‟t forget to visit Cisco Live Virtual: www.ciscolivevirtual.com BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
    • Other Related sessions Cisco Live 2012  BRKSEC-3051 : Troubleshooting GETVPN deployments.  BRKSEC-3053 : Deploying GET to Secure VPN.  BRKSEC-4054 : DMVPN Deployment Models.  BRKSEC 3013 : Advanced IPSec with FlexVPN and IKEv2. BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
    • Agenda DMVPN Overview Four Layer Troubleshooting Methodology Common Issues Case Study DMVPN Best Practice Configuration Q&ABRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
    • DMVPN Overview
    • Dynamic Multipoint VPN Secure On-Demand Meshed Tunnels Provides full meshed connectivity with simple Hub configuration of hub and spoke Supports dynamically addressed spokes VPN Facilitates zero-touch Spoke 1 configuration for addition of new spokes Features automatic IPsec Spoke n Spoke 2 triggering for building an DMVPN Tunnels Traditional Static Tunnels IPsec tunnel Static Known IP Addresses Dynamic Unknown IP AddressesBRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
    • What Is Dynamic Multipoint VPN? DMVPN is a Cisco IOS Software solution for building IPsec+GRE VPNs in an easy, dynamic and scalable manner DMVPN relies on two proven technologies Next Hop Resolution Protocol (NHRP) Creates a distributed (NHRP) mapping database of all the spoke‟s tunnel to real (public interface) addresses Multipoint GRE Tunnel Interface Single GRE interface to support multiple GRE/IPsec tunnels Simplifies size and complexity of configuration BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
    • DMVPN—How It Works Spokes have a dynamic permanent GRE/IPsec tunnel to the hub, but not to other spokes; they register as clients of the NHRP server. When a spoke needs to send a packet to a destination (private) subnet behind another spoke, it queries the NHRP server for the real (outside) address of the destination spoke. Now the originating spoke can initiate a dynamic GRE/IPsec tunnel to the target spoke (because it knows the peer address). The spoke-to-spoke tunnel is built over the mGRE interface. When traffic ceases then the spoke-to-spoke tunnel is removed. BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
    • Dynamic Multipoint VPN (DMVPN)Major Features Configuration reduction and no-touch deployment IP(v4/v6) unicast, IP multicast and dynamic routing protocols. Spokes with dynamically assigned addresses NAT—spoke routers behind dynamic NAT and hub routers behind static NAT Dynamic spoke-spoke tunnels for scaling partial/full mesh VPNs Can be used without IPsec encryption VRFs—GRE tunnels and/or data packets in VRFs 2547oDMVPN—MPLS switching over tunnels QoS—aggregate; static/manual per-tunnel Transparent to most data packet level features Wide variety of network designs and options BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
    • DMVPN Components Next Hop Resolution Protocol (NHRP) Creates a distributed (NHRP) mapping database of all the spoke‟s tunnel to real (public interface) addresses Multipoint GRE Tunnel Interface (MGRE) Single GRE interface to support multiple GRE/IPsec tunnels Simplifies size and complexity of configuration IPsec tunnel protection Dynamically creates and applies encryption policies Routing Dynamic advertisement of branch networks; almost all routing protocols (EIGRP, RIP, OSPF, BGP, ODR) are supported BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
    • ―Static‖ Spoke-Hub, Hub-Hub Tunnels GRE, NHRP and IPsec configuration p-pGRE or mGRE on spokes; mGRE on hubs NHRP registration Dynamically addressed spokes (DHCP, NAT,…) Routing protocol, NHRP, and IP multicast On spoke-hub and hub-hub tunnels Data traffic on spoke-hub tunnels All traffic for hub-and-spoke only networks Spoke-spoke traffic while building spoke-spoke tunnels BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
    • Dynamic Spoke-Spoke Tunnels GRE, NHRP and IPsec configuration mGRE on both hub and spokes Spoke-spoke unicast data traffic Reduced load on hubs Reduced latency Single IPsec encrypt/decrypt On demand tunnel creates when need it NHRP resolutions and redirects Find NHRP mappings for spoke-spoke tunnels BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
    • DMVPN Phases Phase 1 Phase 2 Phase 3• Hub and spoke functionality • Spoke to spoke • Architecture and scaling 12.2(13)T functionality 12.3(4)T 12.4(6)T• Simplified and smaller • Single mGRE interface in • Increase number of hub with config for hub & spoke spokes same hub and spoke ratio• Support dynamically • Direct spoke to spoke data • No hub daisy-chain address CPE traffic reduced load on hub • Spokes don‟t need full• Support for multicast traffic • Cannot summarize spoke routing table from hub to spoke routes on hub • OSPF routing protocol not• Summarize routing at hub • Route on spoke must have limited to 2 hubs IP next hop of remote • Cannot mix phase 2 and spoke phase 3 in same DMVPN cloud BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
    • Network Designs Spoke-to-hub tunnels Spoke-to-spoke tunnels 2547oDMVPN tunnels. Hub and spoke Spoke-to-spoke (Phase 1) (Phase 2) VRF-lite Server Load Balancing Hierarchical (Phase 3) 2547oDMVPN BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
    • Four Layer Troubleshooting Methodology
    • Before You Begin Sync up the timestamps between the hub and spoke Enable msec debug and log timestamps service timestamps debug date time msec service timestamps log date time msec Enable “terminal exec prompt timestamp” for the debugging sessions. This way you can easily correlate the debug output with the show command output BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
    • Four Layer Troubleshooting Methodology Four layers for troubleshooting Physical and routing layer IPsec encryption layer—IPsec/ISAKMP GRE encapsulation layer—NHRP VPN routing layer—routing and IP data X Y VPN Layer X Y IPsec GRE/NHRP b EIGRP/OSPF/RIP/ODR a Tunnel Tunnel Dest. a Dest. b STATIC STATIC EIGRP 2 EIGRP 2 OSPF 2 OSPF 2 BGP IP Infrastructure Layer BGP BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
    • Four Layers for Troubleshooting:Physical and Routing Layer Physical (NBMA or tunnel endpoint) routing layer This is getting the encrypted tunnel packets between the tunnel endpoints (DMVPN hub and spoke or between spoke and spoke routers) b a Tunnel Tunnel Dest. a Dest. b STATIC STATIC EIGRP 2 EIGRP 2 OSPF 2 OSPF 2 BGP IP Infrastructure Layer BGP BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
    • Four Layers for Troubleshooting:Physical and Routing Layer Ping from the hub to the spokes using NBMA addresses (and reverse): These pings should go directly out the physical interface, not through the DMVPN tunnel Hopefully there isnt a firewall that blocks ping packets If this doesnt work, check the routing and any firewalls between the hub and spoke routers Also use traceroute to check the path that the encrypted tunnel packets are taking Check for “administratively prohibited” (ACL) messages BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
    • Four Layers for Troubleshooting:Physical and Routing Layer (Cont) Debugs and show commands use if no connectivity debug ip icmp Valuable tool used to troubleshoot connectivity issues Helps you determine whether the router is sending or receiving ICMP messages ICMP: rcvd type 3, code 1, from 172.17.0.1 ICMP: src 172.17.0.1, dst 172.16.1.1, echo reply ICMP: dst (10.120.1.0) port unreachable rcv from 10.120.1.15 ICMP: src 172.17.0.5, dst 172.16.1.1, echo reply Debug icmp field descriptions: http://www.cisco.com/en/US/docs/ios/12_3/debug/ command/referencedbg_i1g.html#wp1017595 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
    • Four Layers for Troubleshooting:Physical and Routing Layer (Cont.) Debugs and show commands use if no connectivity (cont.) debug ip packet [access-list-number] [detail] [dump] Useful tool use for troubleshooting end to end communication IP packet debugging captures the packets that are process switched including received, generated and forwarded packets. IP: s=172.16.1.1 (local), d=172.17.0.1 (FastEthernet0/1), len 100, sending ICMP type=8, code=0 IP: table id=0, s=172.17.0.1 (FastEthernet0/1), d=172.16.1.1 (FastEthernet0/1), routed via RIB IP: s=172.17.0.1 (FastEthernet0/1), d=172.16.1.1 (FastEthernet0/1), len 100, rcvd 3 ICMP type=0, code=0 Caution: Debug IP packet command can generate a substantial amount of output and uses a substantial amount of system resources. This command should be used with caution in production networks. Always use with an ACL. BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
    • Four Layers for Troubleshooting:Physical and Routing Layer (Cont.)Common Issues: ACL in firewall/ISP side block ISAKMP traffic Traffic filtering resulting traffic flows one direction BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
    • Common Issues:ACL in Firewall/ISP Side Block ISAKMP TrafficProblem: Network connectivity between hub and spoke is fine IPsec tunnel is not coming upHow to detect? show crypto isa sa IPv4 Crypto ISAKMP SA Dst src state conn-id slot status 172.17.0.1 172.16.1.1 MM_NO_STATE 0 0 ACTIVE 172.17.0.1 172.16.1.1 MM_NO_STATE 0 0 ACTIVE (deleted) 172.17.0.5 172.16.1.1 MM_NO_STATE 0 0 ACTIVE 172.17.0.5 172.16.1.1 MM_NO_STATE 0 0 ACTIVE (deleted) VPN tunnel flapping BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
    • Common Issues:ACL in Firewall/ISP Side Block ISAKMP Traffic Further check debug crypto isakmp to verify spoke router is sending udp 500 packet debug crypto isakmp 04:14:44.450: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 04:14:44.450: ISAKMP:(0): beginning Main Mode exchange 04:14:44.450: ISAKMP:(0): sending packet to 172.17.0.1 my_port 500 peer_port 500 (I) MM_NO_STATE 04:14:44.450: ISAKMP:(0):Sending an IKE IPv4 Packet. 04:14:54.450: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... 04:14:54.450: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 04:14:54.450: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE 04:14:54.450: ISAKMP:(0): sending packet to 172.17.0.1 my_port 500 peer_port 500 (I) MM_NO_STATE 04:14:54.450: ISAKMP:(0):Sending an IKE IPv4 Packet. 04:15:04.450: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... 04:15:04.450: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 04:15:04.450: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE 04:15:04.450: ISAKMP:(0): sending packet to 172.17.0.1 my_port 500 peer_port 500 (I) MM_NO_STATE 04:15:04.450: ISAKMP:(0):Sending an IKE IPv4 Packet. Above debug output shows spoke router is sending udp 500 packet every 10 secs BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
    • Common Issues:ACL in Firewall/ISP Side Block ISAKMP Traffic How to fix? Check with either firewall admin OR ISP admin if spoke router is directly connected to ISP router to make sure they are allowing udp 500 traffic After ISP or Firewall admin allowed udp 500 add inbound ACL in egress interface which is tunnel source interface to allow udp 500 to make sure UDP 500 traffic coming into the router show access-list to verify hit counts are incrementing show access-lists 101 Extended IP access list 101 10 permit udp host 172.17.0.1 host 172.16.1.1 eq isakmp log (4 matches) 20 permit udp host 172.17.0.5 host 172.16.1.1 eq isakmp log (4 matches) 30 permit ip any any (295 matches) Caution: Make sure you have IP any any allowed in your access-list otherwise all other traffic will be blocked by this acl applied inbound on egress interface. BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
    • Common Issues:ACL in Firewall/ISP Side Block ISAKMP Traffic How to verify? show crypto isa sa IPv4 Crypto ISAKMP SA Phase 1 is UP, UDP dst src state conn-id slot status 500 packet 172.17.0.1 172.16.1.1 QM_IDLE 1009 0 ACTIVE received 172.17.0.5 172.16.1.1 QM_IDLE 1008 0 ACTIVE debug crypto isa ISAKMP:(0):Old State = IKE_READY New State =IKE_I_MM1 ISAKMP:(0): beginning Main Mode exchange ISAKMP:(0): sending packet to 172.17.0.1 my_port 500 peer_port 500 (I) MM_NO_STATE ISAKMP (0:0): received packet from 172.17.0.1 dport 500 sport 500 Global (I) MM_NO_STATE ISAKMP:(0):Sending an IKE IPv4 Packet Old State = IKE_R_MM1 New State = IKE_R_MM2 ISAKMP:(0):atts are acceptable … ISAKMP:(1009):Old State = IKE_R_MM3 New State IKE_R_MM3 … ISAKMP:(1009):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
    • Common Issues:Traffic Filtering, Traffic Flows One DirectionProblem VPN tunnel between spoke to spoke router is UP Unable to pass data trafficHow to detect? spoke1# show crypto ipsec sa peer 172.16.2.11 local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0) #pkts encaps: 110, #pkts encrypt: 110, #pkts decaps: 0, #pkts decrypt: 0, local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.2.11 inbound esp sas: spi: 0x4C36F4AF(1278669999) outbound esp sas: spi: 0x6AC801F4(1791492596) spoke2#show crypto ipsec sa peer 172.16.1.1 local ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0) #pkts encaps: 116, #pkts encrypt: 116, #pkts decaps: 110, #pkts decrypt: 110, local crypto endpt.: 172.16.2.11, remote crypto endpt.: 172.16.1.1 inbound esp sas: spi: 0x6AC801F4(1791492596) outbound esp sas: spi: 0x4C36F4AF(1278669999) There is no decap packets in Spoke 1, which means ESP packets are dropped some where in the path return from Spoke 2 towards Spoke1 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
    • Common Issues:Traffic Filtering, Traffic Flows One Direction How to fix? Spoke 2 router shows both encap and decap which means either firewall in spoke 2 customer side ahead of router or ISP device in spoke 2 or any where in path between spoke 2 router and spoke 1 router filter ESP traffic How to verify? spoke1# show crypto ipsec sa peer 172.16.2.11 local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0) #pkts encaps: 300, #pkts encrypt: 300 #pkts decaps: 200, #pkts decrypt: 200, spoke2#sh cry ipsec sa peer 172.16.1.1 local ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0) #pkts encaps: 316, #pkts encrypt: 316, #pkts decaps: 300, #pkts decrypt: 310, After allowed ESP (IP protocol 50) Spoke 1 and Spoke 2 both shows encaps and decaps, counters are incrementing. BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
    • Four Layers for Troubleshooting:IPsec Encryption Layer The IPsec encryption layer— This is encrypting the GRE tunnel packet going out and decrypting the IPsec packet coming in to reveal the GRE encapsulated packet IPsec b a Tunnel Tunnel Dest. a STATIC STATIC Dest. b EIGRP 2 EIGRP 2 OSPF 2 OSPF 2 BGP BGP IP Infrastructure Layer BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
    • Four Layers for Troubleshooting:IPsec Encryption Layer—IPsec ComponentDMVPN Component-Ipsec DMVPN introduced tunnel protection The profile must be applied on the tunnel interface tunnel protection ipsec profile prof Internally Cisco IOS Software will treat this as a dynamic crypto map and it derives the local-address, set peer and match address parameters from the tunnel parameters and the NHRP cache This must be configured on the hub and spoke tunnels BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
    • Four Layers for Troubleshooting:IPsec Encryption Layer—IPsec ComponentDMVPN Component-IPsec (Cont.) A transform set must be defined: crypto ipsec transform-set ts esp-3des esp-sha-hmac mode transport An IPsec profile replaces the crypto map crypto ipsec profile prof set transform-set ts The IPsec profile is like a crypto map without “set peer” and “match address” Interface Tunnel0 Ip address 10.0.0.1 255.255.255.0 : tunnel source fast ethernet0/0 tunnel protection ipsec profile prof Note: GRE Tunnel Keepalives are not supported in combination with Tunnel Protection BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
    • Four Layers for Troubleshooting:IPsec Encryption LayerIPsec Layer Verification-show commands Verify that ISAKMP SAs and IPsec SAs between the NBMA addresses of the hub and spoke have being created show crypto isakmp sa detail show crypto IPsec sa peer <NBMA-address-peer> Notice SA lifetime values If they are close to the configured lifetimes (default --24 hrs for ISAKMP and 1 hour for IPsec) then that means these SAs have been recently negotiated If you look a little while later and they have been re-negotiated again, then the ISAKMP and/or IPsec may be bouncing up and down BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
    • Four Layers for Troubleshooting:IPsec Encryption LayerIPsec Layer Verification-show commands (Cont.) New show commands for dmvpn introduced in 12.4(9)T that has brief and detail output show dmvpn detail Covers both Isakmp phase 1 and IPsec phase 2 status Prior to 15.x version , it does not show remaining life time for both Isakmp phase1 and IPsec phase 2 ,to check life time still use old commands Show dmvpn [ {interface <i/f>} | {vrf <vrf-name>} | {peer {{nbma | tunnel } <ip-addr> } | {network <ip-addr> <mask>}} ] [detail] BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
    • Four Layers for Troubleshooting:IPsec Encryption LayerIPsec Layer Verification-debug commands Check the debug output on both the spoke and the hub at the same time debug crypto isakmp New command debug dmvpn Introduced in debug crypto ipsec 12.4(9)T detail crypto debug crypto engine Use conditional debugging on the hub router to restrict the crypto debugs to only show debugs for the particular spoke in question: debug crypto condition peer ipv4 <nbma address> debug dmvpn condition peer <nbma|tunnel> Verify the communication between NHRP and IPsec by showing the crypto map and socket tables show crypto map show crypto socket BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
    • Four Layers for Troubleshooting:IPsec Encryption Layer—Show Commands show crypto isakmp saRouter# show crypto isakmp sadst src state connid slot172.17.0.1 172.16.1.1 QM_IDLE 1 0 IKE Phase 1 status UP show crypto isakmp sa detailRouter# show crypto isakmp sa detailCodes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal Encryption:3des X - IKE Extended Authentication Authentication :Pre-shared key psk - Preshared key, rsig - RSA signature, lifetime before phase 1 re-key Remaining renc - RSA encryptionC-id Local Remote I-VRF Encr Hash Auth DH Lifetime Cap.1 172.16.1.1 172.17.0.1 Connection-id:Engine-id = 1:1(hardware) BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
    • Four Layers for Troubleshooting:IPsec Encryption Layer—Show Commands show crypto ipsec sa Router# show crypto ipsec sa interface: Ethernet0/3 Crypto map tag: vpn, local addr. 172.17.0.1 local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.17.0.1/255.255.255.255/47/0) current_peer: 172.17.0.1:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 19, #pkts encrypt: 19, #pkts digest 19 #pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compr’ed: 0, #pkts compr. failed: 0, #pkts decompr. failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.17.0.1 path mtu 1500, media mtu 1500 current outbound spi: 8E1CB77A BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
    • Four Layers for Troubleshooting:IPsec Encryption Layer—Show Commands show crypto ipsec sa (cont.) inbound esp sas: spi: 0x4579753B(1165587771) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4456885/3531) IV size: 8 bytes replay detection support: Y outbound esp sas: Remaining life time spi: 0x8E1CB77A(2384246650) before re-key transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4456885/3531) IV size: 8 bytes replay detection support: Y BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
    • Four Layers for Troubleshooting:IPsec Encryption Layer—Show Commands show dmvpn HUB-1# show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer Tunnel1, Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Learn Dynamically, ----- --------------- --------------- ----- -------- ----- Entry shows either in hub 1 1.1.1.1 172.20.1.1 UP 00:04:32 D or in spoke for spoke to 1 2.2.2.2 172.20.1.2 UP 00:01:25 D spoke tunnels SPOKE-1#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer Tunnel1, Type:Spoke, NHRP Peers:1, Static NHRP mapping # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 3.3.3.3 172.20.1.100 UP 00:21:56 S BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
    • Four Layers for Troubleshooting:IPsec Encryption Layer—Show Commands show dmvpn detail R600_spokeB#show dmvpn detail Legend: Attrb --> S - Static, D - Dynamic, I – Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ================== Interface Tunnel0 is up/up, Addr. is 10.10.10.6, VRF "" Tunnel Src./Dest. addr: 172.16.2.1/MGRE, Tunnel VRF "" Protocol/Transport: "multi-GRE/IP", Protect "dmvpn-ikev2” IPv4 NHS: 10.10.10.2 RE priority = 0 cluster = 0 Type:Spoke, Total NBMA Peers (v4/v6): 3 # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Networ k----- --------------- --------------- ----- -------- ----- ----------------- Learn Dynamically, 1 172.17.0.9 10.10.10.2 UP 18:15:07 S 10.10.10.2/32 DLX:Dynamic Local no socket 2 172.16.7.2 10.10.10.7 UP 00:02:36 D 10.10.10.7/32 DT1: Dynamic tunnel for spoke to spoke 0 172.16.7.2 10.10.10.7 UP 00:02:36 DT1 192.168.19.0/24 1 172.16.2.1 10.10.10.6 UP 00:02:36 DLX 192.168.18.0/24 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
    • Four Layers for Troubleshooting:IPsec Encryption Layer—Show Commands -contd show dmvpn detail R600_spokeB#show dmvpn detail Crypto Session Details: -------------------------------------------------------------------------------- Interface: Tunnel0 Session: [0x0916D430] IKEv2 Session IKEv2 SA: local 172.16.2.1/500 remote 172.17.0.9/500 Active Crrypto session status Capabilities:(none) connid:1 lifetime:05:44:52 Crypto Session Status: UP-ACTIVE Socket state fvrf: (none),Phase1_id: 172.17.0.9 IPSEC FLOW: permit 47 host 172.16.2.1 host 172.17.0.9 Active SAs: 2, origin: crypto map Inbound: #pkts deced 14818 drop 0 life (KB/Sec) 4200810/3377 Outbound: #pkts enced 28979 drop 0 life (KB/Sec) 4200805/3377 Outbound SPI : 0x25C41C2C, transform : esp-3des esp-sha-hmac Socket State: Open Interface: Tunnel0 Session: [0x0916D330] IKEv1 SA: local 172.16.2.1/500 remote 172.16.7.2/500 Active Capabilities:(none) connid:1039 lifetime:23:57:22 IKEv1 Session Crypto Session Status: UP-ACTIVE Crrypto session status fvrf: (none),Phase1_id: 172.16.7.2 IPSEC FLOW: permit 47 host 172.16.2.1 host 172.16.7.2 Socket state 0 life (KB/Sec) 4305525/3443 Outbound: #pkts enced 41 drop 0 life (KB/Sec) 4305525/3443 Outbound SPI : 0x57A1D6F6, transform : esp-3des esp-sha-hmac Socket State: Open BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
    • Four Layers for Troubleshooting: IPsec EncryptionLayer—debug crypto Condition  To enable crypto conditional debugging: debug crypto condition <cond-type> <cond-value> debug crypto { isakmp | ipsec | engine }  To view crypto condition debugs that have been enabled: show crypto debug-condition [ all | peer | fvrf | ivrf | isakmp | username | connid | spi ]  To disable crypto condition debugs: debug crypto condition reset BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
    • Four Layers for Troubleshooting: IPsec EncryptionLayer—debug dmvpn detail alldebug debug crypto debug crypto debug crypto debug tunnel debug nhrptunnel socket isakmp IPsec protection packetprotection  debug dmvpn introduced in 12.4(9)T debug dmvpn {[{condition [unmatched] | [peer [nbma | tunnel {ip-address}]] | [vrf {vrf-name}] | [interface {tunnel number}]}] | [{error | detail | packet | all} {nhrp | crypto | tunnel | socket | all}]}  One complete debug to help troubleshoot dmvpn issues BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
    • Four Layers for Troubleshooting: IPsec EncryptionLayer—debug dmvpn detail all (Cont.)debug tunnel debug crypto debug crypto debug crypto debug tunnel debug nhrpprotection socket isakmp IPsec protection packet Tunnel protection configured on tunnel interface open crypto socket as soon as either router or tunnel interface come up came MGRE/Tu0: Checking tunnel status IPSEC-IFC up IPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.1): Opening a socket with profile dmvpn IPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.1): connection lookup returned 0 IPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.1): Triggering tunnel immediately. IPSEC-IFC MGRE/Tu0: tunnel coming up IPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.1): Opening a socket with profile dmvpn IPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.1): connection lookup returned 83884274 IPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.1): Socket is already being opened. Ignoring. BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
    • Four Layers for Troubleshooting: IPsec EncryptionLayer—debug dmvpn detail all (Cont.)debug tunnel debug crypto debug crypto debug crypto debug tunnel debug nhrpprotection socket isakmp IPsec protection packet  Shows socket state  Crypto socket debug shows creation of local and remote proxy id CRYPTO_SS (TUNNEL SEC): Application started listening insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON CRYPTO_SS(TUNNEL SEC): Active open, socket info: local 172.16.2.11 172.16.2.11/255.255.255.255/0, remote 172.17.0.1 172.17.0.1/255.255.255.255/0, prot 47, ifc Tu0 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
    • Four Layers for Troubleshooting: IPsec EncryptionLayer—debug dmvpn detail all (Cont.)debug tunnel debug crypto debug crypto debug crypto debug tunnel debug nhrpprotection socket isakmp IPsec protection packet  IKE negotiation  Shows six packet exchange(MM1-MM6) in main mode ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 ISAKMP:(0): beginning Main Mode exchange ISAKMP:(0): sending packet to 172.17.0.1 my_port 500 peer_port 500 (I) MM_NO_STATE ISAKMP:(0):Sending an IKE IPv4 Packet ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 IKE has found matching ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy policy ISAKMP:(0):atts are acceptable. Next payload is 0 ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 IKE complete ISAKMP:(1051):Old State = IKE_I_MM4 New State = IKE_I_MM5 authentication ISAKMP:(1051):Old State = IKE_I_MM5 New State = IKE_I_MM6 ISAKMP:(1051):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
    • Four Layers for Troubleshooting: IPsec EncryptionLayer—debug dmvpn detail all (Cont.)debug tunnel debug crypto debug crypto debug crypto debug tunnel debug nhrpprotection socket isakmp IPsec protection packet  IKE negotiates to set up the IP Security (IPsec) SA by searching for a matching transform set  Creation of inbound and outbound security association database (SADB) ISAKMP:(1051):beginning Quick Mode exchange, M-ID of 1538742728 ISAKMP:(1051):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 ISAKMP:(1051):atts are acceptable. INBOUND local= 172.16.2.11, remote= 172.17.0.5, local_proxy= 172.16.2.11/255.255.255.255/47/0 (type=1), remote_proxy= 172.17.0.5/255.255.255.255/47/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac (Transport), ISAKMP:(1051): Creating IPsec SAs inbound SA from 172.17.0.5 to 172.16.2.11 (f/i) 0/ 0 (proxy 172.17.0.5 to 172.16.2.11) has spi 0xE563BB42 and conn_id 0 outbound SA from 172.16.2.11 to 172.17.0.5 (f/i) 0/0 Phase 2 Complete (proxy 172.16.2.11 to 172.17.0.5) has spi 0xFE745CBD and conn_id 0 ISAKMP:(1051):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
    • Four Layers for Troubleshooting:IPsec Encryption LayerCommon Issues: Incompatible ISAKMP Policy DMVPN Hub and Ezvpn server in same Router. Incompatible IPsec transform set BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
    • Common Issues:Incompatible ISAKMP Policy  If the configured ISAKMP policies don‟t match the proposed policy by the remote peer, the router tries the default policy of 65535, and if that does not match either, it fails ISAKMP negotiation Default protection suite encryption algorithm: DES—Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit A show crypto isakmp sa shows the ISAKMP SA to be in MM_NO_STATE, meaning that main-mode failed BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
    • Common Issues: Incompatible ISAKMP Policy (Cont.) Msg 1 and 2 of ISAKMP MMISAKMP (0:1): processing SA payload. message ID ISAKMP (0:1): Checking ISAKMP transform 1= 0 against priority 65535 policyISAKMP (0:1): found peer pre-shared key ISAKMP: encryption 3DES-CBCmatching 209.165.200.227 ISAKMP: hash MD5ISAKMP (0:1): Checking ISAKMP transform 1against priority 1 policy ISAKMP: default group 1ISAKMP: encryption 3DES-CBC ISAKMP: auth pre-shareISAKMP: hash MD5 ISAKMP: life type in secondsISAKMP: default group 1 ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80ISAKMP: auth pre-share ISAKMP (0:1): Encryption algorithm offered doesISAKMP: life type in seconds not match policy!ISAKMP: life duration (VPI) of 0x0 0x1 ISAKMP (0:1): atts are not acceptable. Next0x51 0x80 payload is 0ISAKMP (0:1): Hash algorithm offered does not ISAKMP (0:1): no offers accepted!match policy! ISAKMP (0:1): phase 1 SA not acceptable!ISAKMP (0:1): atts are not acceptable. Nextpayload is 0 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
    • Common Issues:DMVPN Hub and Ezvpn server in same RouterProblem Description: DMVPN hub and Ezvpn server configured in same router which result DMVPN spokes unable to connect only Ezvpn hardware and software clients are connecting.How to Detect? Check isakmp status Trying XAuth show cry isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 172.17.0.1 172.18.1.1 CONF_XAUTH 4119 0 ACTIVE 172.17.0.1 172.18.1.1 MM_NO_STATE 4118 0 ACTIVE (deleted) BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
    • Common Issues:DMVPN Hub and Ezvpn server in same Router Run isakmp debug to verify what you see in show command. ISAKMP:(4119):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH ISAKMP:(4119):Old State = IKE_R_MM4 New State = IKE_R_MM5 ISAKMP (0:4119): ID payload next-payload : 8 type :1 address : 10.1.1.1 protocol : 17 port :0 length : 12 bring down existing phase 1 and 2 SAs with local 172.17.0.1 remote 172.18.1.1 remote port 1024 ISAKMP:(4119):returning IP addr to the address pool looking for Xauth ISAKMP:(4118):received initial contact, deleting SA ISAKMP:(4118):deleting SA reason "Receive initial contact" state (R) CONF_XAUTH (peer 172.18.1.1) ISAKMP:(4119):Old State = IKE_R_MM5 New State = IKE_R_MM5 ISAKMP: set new node 616549739 to CONF_XAUTH ISAKMP:(4118):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL ISAKMP:(4118):Old State = IKE_XAUTH_REQ_SENT New State = IKE_DEST_SA ISAKMP:(4119):Need XAUTH ISAKMP: set new node -701088864 to CONF_XAUTH ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2 ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2 ISAKMP:(4119): initiating peer config to 172.18.1.1. ID = -701088864 ISAKMP:(4119): sending packet to 172.18.1.1 my_port 4500 peer_port 1024 (R) CONF_XAUTH ISAKMP:(4119):Sending an IKE IPv4 Packet. ISAKMP:(4119):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE ISAKMP:(4119):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
    • Common Issues:DMVPN Hub and Ezvpn server in same Router Check existing configuration that don‟t allow DMVPN spoke to come up and give CONF_XAUTH message in debugs crypto isakmp client configuration group vpnclient key cisco123 EzVPN Server pool vpn Configuration acl 190 crypto ipsec transform-set t3 esp-3des esp-md5-hmac crypto dynamic-map test 10 set transform-set t3 crypto map test isakmp authorization list groupauthor crypto map test client configuration address respond crypto map test 100 IPSec-isakmp dynamic test interface FastEthernet0/0 ip address 172.17.0.1 255.255.255.252 crypto map test BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
    • Common Issues:DMVPN Hub and Ezvpn server in same Routercrypto isakmp key cisco123 address 0.0.0.0 0.0.0.0crypto ipsec transform-set t2 esp-3des esp-md5-hmac mode transport DMVPN Hub Configurationcrypto ipsec profile vpnprof set transform-set t2interface Tunnel0 ip address 10.0.0.8 255.255.255.0 tunnel protection ipsec profile vpnprofi BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
    • Common Issues:DMVPN Hub and Ezvpn server in same RouterHow to Fix ? By default Spoke tunnel terminate on Ezvpn group if you have both Ezvpn server and DMVPN configured in same router which looks for CONF_XAUTH. Separate Ezvpn server and DMVPN configuration by using Isakmp Profile. Match Ezvpn software/hardware clients in Group name and DMVPN spokes in match identity address in Isakmp profile. crypto keyring dmvpn pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123 crypto isakmp profile dmvpn keyring dmvpn match identity address 0.0.0.0 crypto ipsec profile vpnprof Corrected Configuration set transform-set t2 Of DMVPN Hub set isakmp-profile dmvpn BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
    • Common Issues:DMVPN Hub and Ezvpn server in same Routercrypto isakmp client configuration group vpnclient key cisco123 Corrected configuration pool vpn of EzVPN server acl 190crypto isakmp profile remotevpn match identity group vpnclientcrypto dynamic-map test 10 set transform-set t3 set isakmp-profile remotevpncrypto map test isakmp authorization list groupauthorcrypto map test client configuration address respondcrypto map test 100 ipsec-isakmp dynamic test BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
    • Common Issues:DMVPN Hub and Ezvpn server in same RouterHow to Verify ? ISAKMP:(0):found peer pre-shared key matching 172.18.1.1 ISAKMP:(0): local preshared key found ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy ISAKMP:(0):atts are acceptable. Next payload is 0 ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2 ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3 ISAKMP:(4157):Old State = IKE_R_MM3 New State = IKE_R_MM4 ISAKMP:(4157):Old State = IKE_R_MM4 New State = IKE_R_MM5 ISAKMP (0:4157): ID payload next-payload : 8 type :1 address : 10.1.1.1 protocol : 17 port :0 length : 12 Keying scan in debugs ISAKMP:(4157):Found ADDRESS key in keyring dmvpn ISAKMP:(4157):Old State = IKE_R_MM5 New State = IKE_R_MM5 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
    • Common Issues:DMVPN Hub and Ezvpn server in same RouterISAKMP:(4157):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETEISAKMP:(4157):SA is doing pre-shared key authentication using id type ID_IPV4_ADDRISAKMP (0:4157): ID payload next-payload : 8 type :1 address : 172.17.0.1 protocol : 17 port :0 length : 12ISAKMP:(4157):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETEISAKMP:(4157):Checking IPSec proposal 1ISAKMP: transform 1, ESP_3DESISAKMP:(4157):atts are acceptable.ISAKMP:(4157): Creating IPSec SA inbound SA from 172.18.1.1 to 172.17.0.1 (f/i) 0/ 0 (proxy 172.18.1.1 to 172.17.0.1) has spi 0x936AA23D and conn_id 0 VPN Tunnel established outbound SA from 172.17.0.1 to 172.18.1.1 (f/i) 0/0 (proxy 172.17.0.1 to 172.18.1.1) has spi 0xD37F43CB and conn_id 0ISAKMP:(4157):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE%DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.0.11 (Tunnel0) is up: new adjacency BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
    • Common Issues:DMVPN Hub and Ezvpn server in same Routershow crypto isa sa EzVPN profileIPv4 Crypto ISAKMP SAdst src state conn-id slot status172.17.0.1 172.19.87.148 QM_IDLE 4158 0 ACTIVE remotevpn172.17.0.1 172.16.1.1 QM_IDLE 4152 0 ACTIVE dmvpn172.17.0.1 172.18.1.1 QM_IDLE 4157 0 ACTIVE dmvpn172.17.0.6 172.17.0.1 QM_IDLE 4156 0 ACTIVE dmvpnshow crypto ipsec sa peer 172.18.1.1 DMVPN Profile local ident (addr/mask/prot/port): (172.17.0.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.18.1.1/255.255.255.255/47/0) current_peer 172.18.1.1 port 1024 #pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18 #pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18current outbound spi: 0xD37F43CB(3548333003)inbound esp sas:spi: 0x936AA23D(2473239101)outbound esp sas:spi: 0xD37F43CB(3548333003) BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
    • Common Issues:Incompatible IPsec Transform Set If the ipsec transform-set is not compatible or mismatched on the two IPsec devices, the IPsec negotiation will fail, with the router complaining about “atts not acceptable” for the IPsec proposal Phase II ParametersISAKMP (0:2): Checking IPsec proposal 1 IPsec mode (tunnel or transport)ISAKMP: transform 1, ESP_3DES Encryption algorithmISAKMP: attributes in transform: Authentication algorithm PFS groupISAKMP: encaps is 1 IPsec SA LifetimeISAKMP: SA life type in seconds Proxy identitiesISAKMP: SA life duration (basic) of 3600ISAKMP: SA life type in kilobytesISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 0) not supportedISAKMP (0:2): atts not acceptable. Next payload is 0ISAKMP (0:2): SA not acceptable! BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
    • Four Layers for Troubleshooting:GRE Encapsulation Layer The GRE Encapsulation layer—NHRP This is GRE encapsulating the data IP packet going out and GRE decapsulating the GRE packet (after IPsec encryption) coming in to get the data IP packet IPsec GRE/NHRP b a Tunnel Tunnel Dest. a STATIC STATIC Dest. b EIGRP 2 EIGRP 2 OSPF 2 OSPF 2 BGP IP Infrastructure Layer BGP BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
    • Four Layers for Troubleshooting:GRE Encapsulation Layer DMVPN Component-GRE/NHRP  Multipoint GRE Tunnel Interface Single GRE interface to support multiple GRE/IPsec tunnels Simplifies size and complexity of configuration  Next Hop Resolution Protocol (NHRP) Creates a distributed (NHRP) mapping database of all the spoke‟s tunnel to real (public interface) addresses BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
    • Four Layers for Troubleshooting:GRE Encapsulation LayerDMVPN Component-mGRE A p-pGRE interface definition includes interface Tunnel An IP address ip address 10.0.0.1 255.0.0.0 tunnel source Dialer1 A tunnel source tunnel destination 172.16.0.2 A tunnel destination tunnel key 1 An optional tunnel key An mGRE interface definition includes interface Tunnel An IP address ip address 10.0.0.1 255.0.0.0 tunnel source Dialer1 A tunnel source tunnel mode gre multipoint tunnel key 1 An option tunnel key BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
    • Four Layers for Troubleshooting:GRE Encapsulation LayerDMVPN Component-mGRE (Cont.) Single tunnel interface (multipoint) Non-Broadcast Multi-Access (NBMA) Network Smaller hub configuration Multicast/broadcast support Dynamic tunnel destination Next Hop Resolution Protocol (NHRP) VPN IP to NBMA IP address mapping Short-cut forwarding Direct support for dynamic addresses and NAT BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
    • Four Layers for Troubleshooting:GRE Encapsulation Layer—What Is NHRPDMVPN Component-NHRP NHRP is a layer two resolution protocol and cache like ARP or Reverse ARP (Frame Relay) It is used in DMVPN to map a tunnel IP address to an NBMA address Like ARP, NHRP can have static and dynamic entries NHRP has worked fully dynamically since Release 12.2(13)T BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
    • Four Layers for Troubleshooting:GREEncapsulation Layer—Basic NHRP ConfigurationDMVPN Component-NHRP (Cont.) In order to configure an mGRE interface to use NHRP, the following command is necessary: ip nhrp network-id <id> Where <id> is a unique number (recommend same on hub and all spokes) <id> has nothing to do with tunnel key The network ID defines an NHRP domain Several domains can co-exist on the same router Without having this command, tunnel interface won‟t come UP BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
    • Four Layers for Troubleshooting: GREEncapsulation Layer—Adding NHRP CacheDMVPN Component-NHRP (Cont.) Three ways to populate the NHRP cache: Manually add static entries Hub learns via registration requests Spokes learn via resolution requests “Resolution” is for spoke to spoke BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
    • Four Layers for Troubleshooting: GREEncapsulation Layer—Initial NHRP Caches DMVPN Component-NHRP (Cont.)  Initially, the hub has an empty cache  The spoke has one static entry mapping the hub‟s tunnel address to the hub‟s NBMA address: ip nhrp map 10.0.0.1 172.17.0.1  Multicast traffic must be sent to the hub ip nhrp map multicast 172.17.0.1 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
    • Four Layers for Troubleshooting: GRE EncapsulationLayer—Spoke Must Register with Hub DMVPN Component-NHRP (Cont.)  In order for the spokes to register themselves to the hub, the hub must be declared as a Next Hop Server (NHS): ip nhrp nhs 10.0.0.1 ip nhrp holdtime 300 (recommended; default =7200) ip nhrp registration no-unique (recommended*)  Spokes control the cache on the hub BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
    • Four Layers for Troubleshooting:GRE Encapsulation Layer—NHRP Registration DMVPN Component-NHRP (Cont.)  NHRP Registration Spoke dynamically registers its mapping with NHS Supports spokes with dynamic NBMA addresses or NAT  NHRP Resolutions and Redirects Supports building dynamic spoke-spoke tunnels Control and Multicast traffic still via hub Unicast data traffic direct, reduced load on hub routers BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
    • NHRP Registration ExampleDynamically Addressed Spokes 192.168.0.1/24 = Dynamic permanent IPsec tunnels 10.0.0.11  172.16.1.1 10.0.0.12  172.16.2.1NHRP mapping Physical: 172.17.0.1Routing Table Tunnel0: 10.0.0.1 192.168.0.0/24  Conn. 192.168.1.0/24  10.0.0.11 192.168.2.0/24  10.0.0.12 Physical: 172.16.2.1 Physical: 172.16.1.1 Tunnel0: 10.0.0.12 Tunnel0: 10.0.0.11 Spoke A Spoke B 192.168.2.1/24 192.168.1.1/24 10.0.0.1  172.17.0.1 10.0.0.1  172.17.0.1 192.168.0.0/24  10.0.0.1 192.168.0.0/24  10.0.0.1 192.168.1.0/24  Conn. 192.168.1.0/24  10.0.0.1 192.168.2.0/24  10.0.0.1 192.168.2.0/24  Conn. BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
    • Four Layers for Troubleshooting: GREEncapsulation Layer—NHRP Registration (Cont.) DMVPN Component-NHRP (Cont.) Builds base hub-and-spoke network Hub-and-spoke data traffic Control traffic; NHRP, Routing protocol, IP multicast Next Hop Client (NHC) has static mapping for Next Hop Servers (NHSs) Registration time is configurable ip nhrp registration timer <value> (default = 1/3 nhrp hold time) NHS registration reply gives liveliness of NHS Important for Phase 2 networks BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
    • Dynamic Mesh: Phase 2 NHRP Resolutions 192.168.0.1/24 10.0.0.11  172.16.1.1 10.0.0.11  172.16.1.1Data packet 10.0.0.12  172.16.2.1NHRP Resolution Physical: 172.17.0.1 192.168.0.0/24  Conn.NHRP mapping Tunnel0: 10.0.0.1 192.168.1.0/24  10.0.0.11 192.168.2.0/24  10.0.0.12CEF FIB Table 10.0.0.11  172.16.1.1CEF Adjacency 10.0.0.12  172.16.2.1 Physical: 172.16.2.1 Physical: 172.16.1.1 Tunnel0: 10.0.0.12 Tunnel0: 10.0.0.11 Spoke A Spoke B 192.168.2.1/24 192.168.1.1/24 10.0.0.1  172.17.0.1 (*) 10.0.0.1  172.17.0.1 (*) 10.0.0.11  172.16.1.1 10.0.0.12  ??? 192.168.0.0/24  10.0.0.1 192.168.0.0/24  10.0.0.1 192.168.1.0/24  10.0.0.11 192.168.1.0/24  Conn. 192.168.2.0/24  Conn. 192.168.2.0/24  10.0.0.12 10.0.0.1  172.17.0.1 10.0.0.1  172.17.0.1 10.0.0.11  incomplete 10.0.0.12  incomplete BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
    • Dynamic Mesh: Phase 2 NHRP Resolutions (cont) 192.168.0.1/24 10.0.0.11  172.16.1.1Data packet 10.0.0.12  172.16.2.1NHRP Resolution Physical: 172.17.0.1 192.168.0.0/24  Conn.NHRP mapping Tunnel0: 10.0.0.1 192.168.1.0/24  10.0.0.11 192.168.2.0/24  10.0.0.12CEF FIB Table 10.0.0.11  172.16.1.1CEF Adjacency 10.0.0.12  172.16.2.1 Physical: 172.16.2.1 Physical: 172.16.1.1 Tunnel0: 10.0.0.12 Tunnel0: 10.0.0.11 Spoke A Spoke B 192.168.2.1/24 192.168.1.1/24 10.0.0.1  172.17.0.1 (*) 10.0.0.1  172.17.0.1 (*) 10.0.0.11  172.16.1.1 10.0.0.12  ??? 172.16.2.1 10.0.0.12  172.16.2.1 (l) 192.168.0.0/24  10.0.0.1 192.168.0.0/24  10.0.0.1 192.168.1.0/24  Conn. 192.168.1.0/24  10.0.0.11 192.168.2.0/24  10.0.0.12 192.168.2.0/24  Conn. 10.0.0.1  172.17.0.1 10.0.0.1  172.17.0.1 10.0.0.12  incomplete 10.0.0.12  172.16.2.1 10.0.0.11  172.16.1.1 10.0.0.11  incomplete BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
    • NHRP Resolutions and Redirects (Phase 3)Data Packet 192.168.0.1/24 10.0.0.11  172.16.1.1NHRP Redirect 10.0.0.12  172.16.2.1NHRP Resolution Physical: 172.17.0.1 Hub 192.168.0.0/24  Conn.NHRP Mapping Tunnel0: 10.0.0.1 192.168.1.0/24  10.0.0.11 192.168.2.0/24  10.0.0.12CEF FIB Table 10.0.0.11  172.16.1.1CEF Adjacency 10.0.0.12  172.16.2.1 Physical: 172.16.2.1 Physical: 172.16.1.1 Tunnel0: 10.0.0.12 Tunnel0: 10.0.0.11 Spoke A Spoke B 192.168.2.1/24 192.168.1.1/24 10.0.0.1  172.17.0.1 10.0.0.1  172.17.0.1 192.168.2.1  ??? 172.16.2.1 192.168.2.0/24  10.0.0.11  172.16.1.1 192.168.1.0/24  Conn. 192.168.2.0/24  Conn. 192.168.0.0/16  10.0.0.1 192.168.0.0/16  10.0.0.1 10.0.0.1  172.17.0.1 10.0.0.1  172.17.0.1  172.16.2.1 10.0.0.11  172.16.1.1 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
    • Four Layers for Troubleshooting:GRE Encapsulation Layer Look at NHRP. The spoke should be sending an NHRP registration packet on a regular basis, every 1/3 NHRP hold time (on spoke) or ip nhrp registration timeout <seconds> value. On the Spoke: show ip nhrp nhs detail On the hub: show ip nhrp <spoke-tunnel-ip-address> Check the created and expire timer : created timer: how long this NHRP mapping entry has continuously been in the NHRP mapping table. ‗expire timer: how long before this NHRP mapping entry would be deleted, if the hub were not to receive another NHRP registration from the spoke. If the created timer is low and gets reset a lot then that means that the NHRP mapping entry is getting reset BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
    • Four Layers for Troubleshooting:GRE Encapsulation Layer Verify pings from the hub to the spokes tunnel ip address and the reverse. Use the following debugs on the hub router. debug nhrp condition peer <nbma|tunnel> debug nhrp debug tunnel protection debug crypto socket (these last two debugs show communication between NHRP and IPsec) BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
    • Four Layers for Troubleshooting:GRE Encapsulation Layer—Show Commands show ip nhrp detail 10.0.0.5/32 via 10.0.0.5, Tunnel0 created 03:36:47, never expire Type: static, Flags: used NBMA address: 172.17.0.5 10.0.0.9/32 via 10.0.0.9, Tunnel0 created 03:26:26, expire 00:04:04 Type: dynamic, Flags: unique nat registered NBMA address: 110.110.110.2 10.0.0.11/32 via 10.0.0.11, Tunnel0 created 01:55:43, expire 00:04:15 Type: dynamic, Flags: unique nat registered NBMA address: 120.120.120.2 show ip nhrp nhs detail Legend: E=Expecting replies, R=Responding Tunnel0: 10.0.0.1 RE req-sent 654 req-failed 0 repl-recv 590 (00:00:09 ago) 10.0.0.5 RE req-sent 632 req-failed 0 repl-recv 604 (00:00:09 ago)NHRP Flag Information:http://www.cisco.com/en/US/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1067931 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
    • Four Layers for Troubleshooting:GREEncapsulation Layer—debug dmvpn detail all debug tunnel debug crypto debug crypto debug crypto debug tunnel debug nhrp protection socket isakmp IPsec protection packet  Tunnel protection start again after IPSec Phase 2 came UP  Connection lookup id should be same used when tunnel start  Syslog message shows socket came UP  Signal NHRP after socket UP IPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.1): connection lookup returned 83884274 IPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.5): tunnel_protection_socket_up ID value has to be IPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.5): Signalling NHRP same when socket open in the beginning IPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.5): connection lookup returned 83DD7B30 IPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.1): connection lookup returned 83884274 IPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.1): tunnel_protection_socket_up IPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.1): Signalling NHRP Syslog message: %DMVPN-7-CRYPTO_SS: Tunnel0-172.16.2.11 socket is UP BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
    • Four Layers for Troubleshooting: GRE EncapsulationLayer-debug dmvpn detail all (Cont.) debug tunnel debug crypto debug crypto debug crypto debug tunnel debug nhrp protection socket isakmp IPsec protection packet  Spoke send NHRP registration request.  Req id has to be same in both registration request and response.NHRP: Send Registration Request via Tunnel0 vrf 0, packet NHRP: Receive Registration Reply via Tunnel0 vrf 0, packetsize: 104 size: 124src: 10.0.0.9, dst: 10.0.0.1 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1 shtl: 4(NSAP), sstl: 0(NSAP) shtl: 4(NSAP), sstl: 0(NSAP) (M) flags: "unique nat ", reqid: 1279(M) flags: "unique nat ", reqid: 1279 src NBMA: 172.16.1.1. src NBMA: 172.16.1.1 src protocol: 10.0.0.9, dst protocol: 10.0.0.1 src protocol: 10.0.0.9, dst protocol: 10.0.0.1 (C-1) code: no error(0)(C-1) code: no error(0) prefix: 255, mtu: 1514, hd_time: 300 prefix: 255, mtu: 1514, hd_time: 300 addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref:addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, 0pref: 0Syslog message:%DMVPN-5-NHRP_NHS: Tunnel0 10.0.0.1 is UP BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
    • Four Layers for Troubleshooting:GRE Encapsulation LayerCommon Issues NHRP Registration fails Dynamic NBMA address change in spoke resulting inconsistent NHRP mapping in hub BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
    • Common Issues:NHRP Registration FailsHow to Detect? VPN tunnel between hub and spoke is up but unable to pass data traffic. Show crypto isa sa dst src state conn-id slot status 172.17.0.1 172.16.1.1 QM_IDLE 1082 0 ACTIVE Show crypto IPsec sa (spoke) local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.17.0.1/255.255.255.255/47/0) #pkts encaps: 154, #pkts encrypt: 154, #pkts digest: 154 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 Packets are encrypted inbound esp sas: and sent to hub. spi: 0xF830FC95(4163959957) outbound esp sas: Return traffic not coming back from other end of tunnel (hub) spi: 0xD65A7865(3596253285) BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
    • Common Issues:NHRP Registration Fails Show crypto IPsec sa (Hub) local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.17.0.1/255.255.255.255/47/0) #pkts encaps: 0, #pkts encrypt: 154, #pkts digest: 154 #pkts decaps: 154, #pkts decrypt: 0, #pkts verify: 0 inbound esp sas: Packets are not encrypted spi: 0xD65A7865(3596253285) sending out to spoke. outbound esp sas: spi: 0xF830FC95(4163959957) Show interface tunnel0(Spoke) Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 10.0.0.12/24 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1 Output queue: 0/0 (size/max) Tunnel interface shows 0 packets input, 0 bytes, 0 no buffer zero input packet 31 packets output, 3318 bytes, 0 underruns received from hub BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
    • Common Issues:NHRP Registration Fails (Cont.) Check NHS entry in spoke router. NHS Request fail Show ip nhrp nhs detail Legend: E=Expecting replies, R=Responding Tunnel0: 172.17.0.1 E req-sent 0 req-failed 30 repl-recv 0 Pending Registration Requests: Registration Request: Reqid 4371, Ret 64 NHS 172.17.0.1How to Fix? Check spoke router tunnel interface configuration to make sure both sides have same tunnel key configured interface Tunnel0 interface Tunnel0 ip address 10.0.0.9 255.255.255.0 Look carefully ip address 10.0.0.1 255.255.255.0Look for tunnel determine spoke ip nhrp authentication test ip nhrp map 10.0.0.1 172.17.0.1 tunnel key has ankey in bothhub and spoke ip nhrp map multicast dynamic ip nhrp map multicast 172.17.0.1 extra zero tunnel key 100000 tunnel key 1000000 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
    • Common Issues:NHRP Registration Fails (Cont.)How to verify? Verify NHS entry and ipsec encrypt/decrypt counters sh ip nhrp nhs detail No request fail Legend: E=Expecting replies, R=Responding Tunnel0: 10.0.0.1 RE req-sent 4 req-failed 0 repl-recv 3 (00:01:04 ago) Show crypto ipsec sa local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.17.0.1/255.255.255.255/47/0) #pkts encaps: 121, #pkts encrypt: 121, #pkts digest: 121 #pkts decaps: 118, #pkts decrypt: 118, #pkts verify: 118 inbound esp sas: spi: 0x1B7670FC(460747004) outbound esp sas: spi: 0x3B31AA86(993110662) Verify routing protocol neighbor sh ip eigrp neighbors IP-EIGRP neighbors for process 10 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 1 10.0.0.1 Tu0 11 00:21:20 18 200 0 497 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
    • Common Issues: Dynamic NBMA Address Change inSpoke Resulting Inconsistent NHRP Mapping in Hub  Problem Description: “Dynamic NBMA address change in spoke resulting inconsistent NHRP mapping in hub until NHRP registration with previous NBMA address expired”  Show commands in hub before NBMA address change Hub# show ip nhrp 10.0.0.11/32 via 10.0.0.11,Tunnel0 created 16:18:11,expire 00:28:47 Type: dynamic, Flags: unique nat registered, NBMA address: 172.16.2.2 Hub # show crypto socket Tu0 Peers (local/remote): 172.17.0.1/172.16.2.2 Local Ident (addr/mask/port/prot): (172.17.0.1/255.255.255.255/0/47) Remote Ident (addr/mask/port/prot): (172.16.2.2/255.255.255.255/0/47) IPsec Profile: "dmvpn" Socket State: Open) BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
    • Common Issues: Dynamic NBMA Address Change inSpoke Resulting Inconsistent NHRP Mapping in Hub Hub# show crypto ipsec sa Hub# show crypto map interface: Tunnel0 Crypto Map "Tunnel0-head-0" 65540 Crypto map tag: Tunnel0-head-0, Map is a PROFILE INSTANCE. local crypto endpoint:172.17.0.1 Peer = 172.16.2.2 Remote crypto endpoint:172.16.2.2 Extended IP access list #pkts encaps: 13329, access-list permit gre host 172.17.0.1 host 172.16.2.2 #pkts decaps: 13326, Current peer: 172.16.2.2 inbound esp sas: spi: 0xFEAB438C(4272636812) outbound esp sas: spi: 0xDD07C33A(3708273466) NHRP shows noHow to Detect? entry for Inconsistency after NBMA address change in spoke 172.16.2.3 still Hub# show ip nhrp holding entry for 10.0.0.11/32 via 10.0.0.11, Tunnel0 created 17:37:25, expire 00:09:34 previous NBMA Type: dynamic, Flags: unique nat registered used address 172.16.2.2 NBMA address: 172.16.2.2 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
    • Common Issues: Dynamic NBMA Address Change inSpoke Resulting Inconsistent NHRP Mapping in Hub How to Detect? (Cont.) Hub# show crypto map Crypto Map "Tunnel0-head-0" 65540 ipsec-isakmp Map is a PROFILE INSTANCE. Peer = 172.16.2.2 Extended IP access list access-list permit gre host 172.17.0.1 host 172.16.2.2 Crypto map entry for both Current peer: 172.16.2.2 previous and new NBMA address Crypto Map "Tunnel0-head-0" 65541 ipsec-isakmp of spoke Map is a PROFILE INSTANCE. Peer = 172.16.2.3 Extended IP access list access-list permit gre host 172.17.0.1 host 172.16.2.3 Current peer: 172.16.2.3 Hub# show crypto socket Tu0 Peers (local/remote): 172.17.0.1/172.16.2.2 Old NBMA Local Ident (addr/mask/port/prot): (172.17.0.1/255.255.255.255/0/47) address Remote Ident (addr/mask/port/prot): (172.16.2.2/255.255.255.255/0/47) Socket State: Open New NBMA Tu0 Peers (local/remote): 172.17.0.1/172.16.2.3 address Local Ident (addr/mask/port/prot): (172.17.0.1/255.255.255.255/0/47) Remote Ident (addr/mask/port/prot): (172.16.2.3/255.255.255.255/0/47) Socket State: Open BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
    • Common Issues: Dynamic NBMA Address Change inSpoke Resulting Inconsistent NHRP Mapping in Hub How to Detect? (Cont.)  debug nhrp packet in hub router to check NHRP registration request /reply. Hub# debug nhrp packet NHRP: Receive Registration Request via Tunnel0 vrf 0, packet size: 104 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1 (M) flags: “unique nat ", reqid: 9480 src NBMA: 172.16.2.3 src protocol: 10.0.0.11, dst protocol: 10.0.0.1 (C-1) code: no error(0) prefix: 255, mtu: 1514, hd_time: 600 NHRP: Attempting to send packet via DEST 10.0.0.11 NHRP: Encapsulation succeeded. Tunnel IP addr 172.16.2.3 NHRP: Send Registration Reply via Tunnel0 vrf 0, packet size: 124, src: 10.0.0.1, dst: 10.0.0.11 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1 (M) flags: “ unique nat ", reqid: 9480 src NBMA: 172.16.2.3 C-1 code shows NBMA address is already registered , that is why it is not updating src protocol: 10.0.0.11, dst protocol: 10.0.0.1 nhrp mapping table with new NBMA (C-1) code: unique address registered already(14) address BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
    • Common Issues: Dynamic NBMA Address Change inSpoke Resulting Inconsistent NHRP Mapping in Hub Spoke router shows the error message indicating about NBMA address already registered %NHRP-3-PAKREPLY: Receive Registration Reply packet with error - unique address registered already(14)How to Fix? “ip nhrp registration no-unique” command in tunnel interface of dynamic NBMA address spoke router Spoke# show run interface tunnel0 interface Tunnel0 ip address 10.0.0.11 255.255.255.0 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.1 ip nhrp holdtime 600 To enable the client to not set ip nhrp nhs 10.0.0.1 the unique flag in the Next Hop Resolution ip nhrp registration no-unique Protocol (NHRP) request and reply packets :tunnel protection ipsec profile dmvpn BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
    • Common Issues: Dynamic NBMA Address Change in Spoke Resulting Inconsistent NHRP Mapping in Hub How to Verify? Hub# debug nhrp packet NHRP: Receive Registration Request via Tunnel0 vrf 0, packet size: 104 (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1 (M) flags: "nat ", reqid: 9462 src NBMA: 172.16.2.4 src protocol: 10.0.0.11, dst protocol: 10.0.0.1 (C-1) code: no error(0) NHRP: Tu0: Creating dynamic multicast mapping NBMA: 172.16.2.4 NHRP: Attempting to send packet via DEST 10.0.0.11 NHRP: Encapsulation succeeded. Tunnel IP addr 172.16.2.4Unique address command NHRP: Send Registration Reply via Tunnel0 vrf 0, packet size: 124result no unique flag src: 10.0.0.1, dst: 10.0.0.11C-1 code shows no error (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1 (M) flags: "nat ", reqid: 9462 src NBMA: 172.16.2.4 src protocol: 10.0.0.11, dst protocol: 10.0.0.1 (C-1) code: no error(0) prefix: 255, mtu: 1514, hd_time: 600 Hub#sh ip nhrp 10.0.0.11/32 via 10.0.0.11, Tunnel0 created 01:04:32, expire 00:07:06 Type: dynamic, Flags: nat registered Unique flag not set NBMA address: 172.16.2.4 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
    • Four Layers for Troubleshooting:VPN Routing Layer  The VPN routing layer—this is routing packets in/out of the p- pGRE and/or mGRE interfaces on the tunnel endpoint routers. This is done by running a dynamic routing protocol over the DMVPN tunnels X Y VPN Layer X Y IPsec GRE/NHRP b EIGRP/OSPF/RIP/ODR a Tunnel Tunnel Dest. a Dest. b STATIC STATIC EIGRP 2 EIGRP 2 OSPF 2 OSPF 2 BGP IP Infrastructure Layer BGP BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
    • Four Layers for Troubleshooting:VPN Routing LayerDMVPN Component-routing Regular IP networks IP routing updates and data packets traverse same physical/logical links Routing Protocol monitors state of all links that data packets can use DMVPN IP networks IP routing updates and IP multicast data packets only traverse hub-and- spoke tunnels Unicast IP data packets traverse both hub-and-spoke and direct dynamic spoke-spoke tunnels Routing protocol doesn‟t monitor state of spoke-spoke tunnels BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
    • Four Layers for Troubleshooting:VPN Routing Layer Check for routing neighbor and lifetime show ip route [eigrp | ospf | rip ] show ip protocol show ip [ eigrp | ospf ] neighbor Check multicast replication and connectivity show ip nhrp multicast ping [ 224.0.0.10 (eigrp) | 224.0.0.5 (ospf) | 224.0.0.9 (rip) ] ping <tunnel-subnet-broadcast-address> Example: 10.0.0.0/24  10.0.0.255 Debug: Various debug commands depending on routing protocol BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
    • Four Layers for Troubleshooting:VPN Routing Layer: Routing Summary Spokes are only routing neighbors with hubs, not with other spokes Spokes advertise local network to hubs Hubs are routing neighbors with spokes Collect spoke network routes from spokes Advertise spoke and local networks to all spokes All Phases: Turn off split-horizon (EIGRP, RIP) Single area and no summarization when using OSPF Phase 1 & 3: Hubs can not preserve original IP next-hop; Can Summarize EIGRP, BGP (next-hop-self); RIP, ODR (default) OSPF (network point-multipoint); # hubs not limited Phase 2: Hubs must preserve original IP next-hop; Cannot summarize EIGRP (no ip next-hop-self); BGP (default) OSPF (network broadcast); Only 2 hubs Hubs are routing neighbors with other hubs and local network Phase1 & 3: Can use different routing protocol than hub-spoke tunnels Phase 2: Must use same routing protocol as hub-spoke tunnels BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
    • Four Layers for Troubleshooting:VPN Routing Layer—Common IssuesCommon Issues: Looking for way to disable split tunneling in spoke router , so all traffic from spoke goes to Hub router even internet traffic but at the same time spoke to spoke traffic doesn‟t go through hub. BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
    • Common Issues: No split tunneling on DMVPN spokeProblem Description:Customer has corporate security policies that disable split-tunnelingand advertise default route over the tunnel to all spokes.He wants to build spoke to spoke tunnel and at the same timewants all internet traffic will go through DMVPN hub located in maincorporate office. BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
    • Common Issues: No split tunneling on DMVPN spoke Solution: Default Route From ISP And Over the Tunnel  In Spoke to Spoke model, we need an ISP default route to reach other spoke.  Default route over the Tunnel should not overwrite the ISP default route for spoke to spoke communication to work  Solution: Use Virtual Routing and Forwarding (VRF) instance to handle both default routes BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
    • Common Issues: No split tunneling on DMVPN spokeVRF and DMVPN Typically VRFs are deployed in one of the following two configurations: I-VRF: GRE tunnel and LAN interface are configured in a VRF and public interface (carrying GRE traffic) is in global table F-VRF: GRE tunnel and LAN interface stay in the global routing table but public interface (carrying GRE traffic) is configured in a VRF VRF configurations are a common way of handling dual-default routes BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
    • Common Issues: No split tunneling on DMVPN spokeDMVPN and I-VRF Global Routing Table Cisco IOS RouterIPSec+GRE Interface VRF Table IPSec GRE Interface LAN Interface GRE  IPSec packets are forwarded using global routing table  GRE decapsulated clear-text packets are forwarded using associated VRF Interface Tunnel1 ip vrf forwarding VRF-1 tunnel source Serial0/0 ! Interface Serial 0/0 description in global table ! Interface FastEthernet 0/0 ip vrf forwarding VRF-1 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
    • Common Issues: No split tunneling on DMVPN spokeDMVPN and F-VRF Cisco IOS RouterIPSec+GRE Interface Global Routing Table IPSec GRE Interface LAN Interface GRE VRF Table  IPSec packets are forwarded using VRF routing table  GRE decapsulated clear-text packets are forwarded using global table Interface Tunnel1 tunnel source Serial0/0 tunnel VRF F-VRF ! Interface Serial 0/0 ip vrf forwarding F-VRF ! Interface FastEthernet 0/0 description In Global Table BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
    • Common Issues: No split tunneling on DMVPN spokeDual Default Routes ip vrf FVRF rd 100:1 ! Since WAN interface in a VRF, pre- crypto keyring DMVPN vrf FVRF shared key needs to be defined in the pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123 VRF ! Interface Tunnel0 ip address 172.50.1.1 255.255.255.0 ip nhrp authentication HBfR3lpl ip nhrp map multicast 3.3.3.3 ip nhrp map 172.50.1.254 3.3.3.3 ip nhrp network-id 1 ip nhrp nhs 172.50.1.254 ip nhrp shortcut tunnel source GigabitEthernet0/0 tunnel mode gre multipointTunnel Destination lookup forced in tunnel vrf FVRFVRF FVRF tunnel protection ipsec profile dmvpn ! Interface GigabitEthernet 0/0 description WAN interface to ISP in vrf ip address dhcpWAN interface defined in the VRF – LAN ip vrf forwarding FVRFinterface stays in Global Table Interface GigabitEthernet 0/1 description LAN interface In Global Table BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
    • Common Issues: No split tunneling on DMVPN spokeDual Default Routes (cont)How to Verify : Spoke-A VRF Routing TableSpoke-A# show ip route vrf FVRFRouting Table: FVRFGateway of last resort is 192.168.0.254 to network 0.0.0.0 192.168.0.0/24 is variably subnetted, 2 subnets, 2 masksC 192.168.0.0/24 is directly connected, GigabitEthernet0/0S* 0.0.0.0/0 [254/0] via 192.168.0.254 Spoke-A Global Routing Table Spoke-A# show ip route C 172.50.1.0 is directly connected, Tunnel0 C 172.60.1.0 is directly connected, Tunnel1 C 10.0.0.0/24 is directly connected, GigabitEthernet0/1.84 D 0.0.0.0/0 [90/2844160] via 172.50.1.254, 00:03:45, Tunnel1 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
    • Case Study
    • Case Study Customer looking for some help in migrating existing DMVPN-iKEv1 to DMVPN-iKEv2. It is to be noted that be it iKEv1 or iKEv2 the final outcome of either protocol is the installation of IPSec SA and IPSec protocol is unchanged in either one. We will discuss guiding factors when migrating to IKEv2. BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
    • Guiding Factor for Migration to IKEv2 Configure IKEv2 requires software upgrade.. Requires Maintenance Window An IKEv2 initiator only initiate IKEv2 and establish tunnel with IKEv2 responder. An IKEv2 responder can fallback to IKEv1.Provided relevant configuration in place. IPSec profile configured under the tunnel interface determine to initiate IKEv1 or IKEv2, can‟t be both. BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
    • IKEv2 in a few words Defined in RFC 4306 - updated by RFC 5996 No interoperability with IKEv1 Not wide spread … yet Both are using the same basic structure aiming at Privacy Integrity Authentication Both run over UDP 500/4500 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
    • Key Comparisons ISAKMP. DPD RFC2408 Mode- Coalesces important config IKE IKEv2 RFC2409 RFC5996 specifications under DOI RFC2407 a single RFC NAT-T Main Mode Initial Quick Exchange Mode CREATE_CHILD_SA Aggressive Mode BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
    • Key differentiators. IKEv1 IKEv2 Auth messages 6 max Open ended First IPsec SA 9 msgs min ~ 4-6 msgs min Authentication pubkey-sig, pubkey- Pubkey-sig, PSK, EAP encr, PSK Anti-DOS Never worked Works! Notifies Fire & Forget Acknowledged BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
    • IKEv2 exchanges overview.IKE_SA_INIT IKE_SA Authentication(Two Messages) Parameters NegotiatedIKE_AUTH + CREATE_CHILD_SA IKE Authentication Occurs(Two Messages) and One CHILD_SA CreatedCREATE_CHILD_SA Second CHILD_SA Created(Two Messages) A Protected Data B BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
    • IKE_SA_INIT: Message 1 The Initiator Proposes Basic SA Attribute Along with Authentication Material Equivalent to messages 1 and 3 in IKEv1 HDR, SAi1, KEi, Ni Initiator Responder HDR – IKE Header SAi – cryptographic algorithms initiator is willing to support KEi – Initator Key Exchange material Length Ni – Initiator Nonce BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
    • IKE_SA_INIT: Message 2 The responder sends back a set of attributes acceptable under SA, along with authentication material Equivalent to messages 2 and 4 in IKEv1 HDR, SAr1, KEr, Nr [Certreq] Initiator Responder HDR – IKE Header SAr – cryptographic algorithm responder chooses KEr – Responder Key Exchange Length Nr – Responder Nonce Certreq – Certificate request BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
    • IKE_AUTH: Message 3 Authentication Material Along with CHILD_SA Info Sent Equivalent to message 5 – Main Mode and part of the Quick Mode in IKEv1 HDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr} Initiator Responder SK– payload encrypted and integrity protected IDi – Initiator Identity Cert - Certificate Length AUTH – Authentication data Tsi/r – Traffic Selector as src/dst proxies BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
    • IKE_AUTH: Message 4 Authentication Material Along with CHILD_SA Info Sent Equivalent to message 6 – Main Mode and part of the Quick Mode in IKEv1 HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr} Initiator Responder SK– payload encrypted and integrity protected IDr – Responder Identity VTI and GRE/IPsec Cert - Certificate Length complete after this message AUTH – Authentication data SA - Includes SA, Proposal and Transform Info to Create the 1st CHILD_SA Tsi/r – Traffic Selector as src/dst proxies BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
    • IKEv2 Configuration (consolidation) crypto ikev2 proposal prop-1IKEv2 proposal encryption aes-cbc-128 3des integrity sha1 group 2 ! crypto ikev2 policy site-policyIKEv2 policy binds proposal proposal prop-1 !Keyring with symmetric pre-shared key crypto ikev2 keyring V2-keyring peer cisco address 10.0.1.1 pre-shared-key cisco123IKEv2 profile using pre-shared keys for !authentication. crypto ikev2 profile prof match identity remote address 10.0.1.1Local and remote authentication authentication local pre-sharemethods specified in profile authentication remote pre-share keyring V2-keyring BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
    • IPsec & IKEv2 – no further change (consolidation) crypto ikev2 proposal prop-1 encryption aes-cbc-128 3des integrity sha crypto ipsec transform-set TS esp-3des esp-sha-hmac group 2 mode transport ! ! crypto ikev2 policy site-policy crypto ipsec profile ipsec_prof proposal prop-1 set transform-set TS ! set crypto ikev2 profile ikev2prof crypto ikev2 keyring V2-keyring ! peer dmvpn Interface Tunnel0 address 0.0.0.0 ip address 10.10.10.6 255.255.255.0 pre-shared-key cisco123 ip mtu 1400 ! tunnel source Ethernet0/0 crypto ikev2 profile ikev2prof tunnel mode gre multipoint match fvrf any tunnel protection ipsec profile ipsec_prof match identity remote address 10.0.1.1 authentication local pre-share authentication remote pre-share keyring V2-keyring BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
    • IKEv2 Smart Defaults Intelligent, reconfigurable defaults  Pre-existing constructs: crypto ikev2 proposal AES-CBC 256, 196,128 , 3DES / SHA-512,384,256, SHA-1, MD5 / group 5, 2 crypto ikev2 policy (match any) crypto ipsec transform-set (AES-128, 3DES / SHA, MD5) crypto ipsec profile default (default transform set, ikev2 profile default)  Only an IKEv2 profile called “default” needs to be created crypto ikev2 profile default match identity remote address 10.0.1.1 authentication local certificate authentication remote certificate pki trustpoint TP ! interface Tunnel0 ip address 192.168.0.1 255.255.255.252 tunnel protection ipsec profile default BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
    • IKEv2 Reconfigurable Defaults All defaults can be modified, deactivated and restored Default proposals pre-configured for IKEv2 crypto ikev2 proposal default encryption aes-cbc-128 for IPsec hash md5 Modifying defaults crypto ipsec transform-set default aes-cbc 256 sha-hmac default crypto ikev2 proposal Restoring defaults default crypto ipsec transform-set Disabling defaults no crypto ikev2 proposal default no crypto ipsec transform-set default BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
    • Migration Methods Method 1: ‒ Dual DMVPN network/ Dual Tunnel interface approach in HUB , one for IKEv1 and other one for IKEv2. Method 2: ‒ Adding IKEv2 in existing DMVPN setup , while migrating all spokes to IKEv2 make sure IKEv1 spoke can talk to IKEv2 spokes. BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
    • Migration Methods Basic strategy behind this migration method;  Two DMVPN network.  One DMVPN network for IKEv1 and other DMVPN network for IKEv2.  Meaning Hub will have two GRE tunnel interfaces with two different tunnel source.  Each tunnel would be configured different NHRP network ID.  Migrate HUB first while migrating existing DMVPN spokes to IKEv2. BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
    • Method 1 : Dual DMVPN/Dual Tunnel interfaceMigrating HUB Configuration. crypto ikev2 proposal cisco encryption aes-cbc-128 3des integrity md5 IKEv2 proposal group 2 crypto ikev2 policy pol-1 match fvrf any IKEv2 policy binds proposal proposal cisco crypto ikev2 keyring v2-kr1 peer DMVPN address 0.0.0.0 0.0.0.0 Keyring with symmetric pre-shared key pre-shared-key cisco123 crypto ikev2 profile dmvpn match fvrf any IKEv2 profile using pre-shared keys for match identity remote address 0.0.0.0 authentication. authentication local pre-share authentication remote pre-share keyring local v2-kr1 crypto ipsec profile dmvpn-ikev2 IPSec profile to use IKEv2 profile set transform-set trans set ikev2-profile dmvpn BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
    • Method 1 : Dual DMVPN/Dual Tunnel interfaceMigrating HUB Configuration.Interface Tunnel0 Interface Tunnel1 description This is the Legacy IKEv1 facing tunnel description This is the IKEv2 facing tunnel bandwidth 1000 bandwidth 1000 ip address 10.10.20.2 255.255.255.0 ip address 10.10.10.2 255.255.255.0 no ip redirects no ip redirects no ip split-horizon eigrp 1 no ip split-horizon eigrp 1 ip nhrp map multicast dynamic ip nhrp map multicast dynamic ip nhrp network-id 100 ip nhrp network-id 200 ip nhrp redirect ip nhrp redirect tunnel source Ethernet1/0 tunnel source Ethernet1/1 tunnel mode gre multipoint tunnel mode gre multipoint tunnel key 10000 tunnel key 10000tunnel protection ipsec profile dmvpn tunnel protection ipsec profile dmvpn-ikev2 IKEv1 IKEv2 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
    • Method 1 : Dual DMVPN/Dual Tunnel interfaceMigrating Spoke Configuration. Upgrade Spokes to version support IKEv2. Interface Tunnel1Configure crypto portion of IKEv2 ip address 10.10.10.6 255.255.255.0configuration. no ip redirects ip nhrp map multicast 172.17.0.9Applied IPSec profile containing IKEv2 ip nhrp map 10.10.10.2 172.17.0.9profile applied to existing tunnel interface. Ip nhrp nhs 10.10.10.2Make sure IP NHS address is the one used ip nhrp network-id 200in HUB IKEv2 tunnel interface. ip nhrp shortcut tunnel source Ethernet1/1Once IKEv2 IPSEC profile applied to tunnel tunnel mode gre multipointinterface , it only initiate IKEv2 request. tunnel key 10000IKEv1 spokes only talk to IKEv2 spokes tunnel protection ipsec profile dmvpn-ikev2through Hub. BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
    • Method 2:Adding IKEv2 in existing DMVPNnetworkFollowing are the key points for method 2. First configure IKEv2 part in Hub router Apply IKEv2 profile under the tunnel interface of hub router. For IKEv1 spoke communicate with IKEv2 spoke , configure IKEv1 crypto part in IKEv2 spoke , while the IKEv2 IPSec profile applied to tunnel interface. IKEv2 spoke can‟t initiate IKEv1 request , so the IKEv1 spoke has to initiate tunnel request and IKEv2 be a responder. BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
    • Method 2:Adding IKEv2 in existing DMVPNnetwork : Configurationcrypto ikev2 proposal cisco crypto isakmp policy 10encryption aes-cbc-128 3desintegrity md5 encr aesgroup 2 hash md5 IKEv2 IKEv1crypto ikev2 policy pol-1 auhentication pre-sharematch fvrf any group 2proposal ciscocrypto ikev2 keyring v2-kr1 crypto isakmp key cisco123 address 0.0.0.0peer DMVPNaddress 0.0.0.0 0.0.0.0 pre-shared-key cisco123 interface Tunnel0 bandwidth 1000crypto ikev2 profile dmvpnmatch fvrf any ip address 10.10.10.2 255.255.255.0match identity remote address 0.0.0.0 authentication local pre-share ip nhrp map multicast dynamicauthentication remote pre-share ip nhrp redirectkeyring local v2-kr1 IKV2 IPSEC ip tcp adjust-mss 1360 Profilecrypto ipsec profile dmvpn-ikev2 tunnel protection ipsec profile dmvpn-ikev2set transform-set transset ikev2-profile dmvpn BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
    • Sample Debugs for IKEv2 Debug crypto ikev2SA init exchangeCRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONIKEv2:% Getting preshared key from profile keyring v2-kr1IKEv2:% Matched peer block DMVPNIKEv2:Found Policy pol-1’KEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSEDIKEv2:(SA ID = 1):Generating IKE_SA_INIT message SA INIT ExchangeIKEv2:(SA ID = 1):Sending Packet [To 172.17.0.1:500/From 172.16.1.1:500/VRF i0:f0] IKEv2 first 2 packetsInitiator SPI : 24A34F622335D31A - Responder SPI : 0000000000000000 Message id: 0IKEv2 IKE_SA_INIT Exchange REQUESTPayload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)IKEv2:(SA ID = 1):Received Packet [From 172.17.0.1:500/To 172.16.1.1:500/VRF i0:f0]Initiator SPI : 24A34F622335D31A - Responder SPI : 08E1E73A3DA27BE4 Message id: 0IKEv2 IKE_SA_INIT Exchange RESPONSEPayload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQNOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) IKEv2:(SA ID = 1):Processing IKE_SA_INIT messageIKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SAIKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSEDIKEv2:(SA ID = 1)Completed SA init exchange BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
    • Sample Debugs for IKEv2 Debug crypto ikev2IKE_AUTH messageIKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication dataIKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSEDIKEv2:(SA ID = 1):Get my authentication methodMy authentication method is PSK*Jun 4 18:48:23.811: IKEv2:(SA ID = 1)Generating IKE_AUTH messageIKEv2:(SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),Num. transforms: 3 3DES SHA96 Dont use ESN*Jun 4 18:48:23.811: IKEv2:(SA ID = 1):Building packet for encryption.VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)IKEv2:(SA ID = 1):Sending Packet [To 172.17.0.1:500/From 172.16.1.1:500/VRF i0:f0]Initiator SPI : 24A34F622335D31A - Responder SPI : 08E1E73A3DA27BE4 Message id: 1IKEv2 IKE_AUTH Exchange REQUESTIKEv2:(SA ID = 1):Received Packet [From 172.17.0.1:500/To 172.16.1.1:500/VRF i0:f0] IKE Auth ExchangeInitiator SPI : 24A34F622335D31A - Responder SPI : 08E1E73A3DA27BE4 Message id: 1 IKEv2 second 2 packetsIKEv2 IKE_AUTH Exchange RESPONSE Child SA creationPayload contents: VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)IKEv2:(SA ID = 1):Process auth response notifyIKEv2:(SA ID = 1):Verification of peers authenctication data PASSEDIKEv2:KMI/verify policy/sending to IPSec: prot: 3 txfm: 3 hmac 2 flags 8177 keysize 0 IDB 0x0IKEV2 SA created; inserting SA into databaseIKEv2:(SA ID = 1):Checking for duplicate IKEv2 SAIKEv2:(SA ID = 1):No duplicate IKEv2 SA found BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
    • Verification Show commands for IKEv2 Show crypto ikev2 session & show crypto ikev2 statsR500_spokeA#show crypto ikev2 session IPv4 Crypto IKEv2 SessionSession-id:761, Status:UP-ACTIVE, IKE count:1, CHILD count:1Tunnel-id Local Remote fvrf/ivrf Status1 172.16.1.1/500 172.17.0.1/500 none/none READY Encr: AES-CBC, keysize: 128, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK Tunnel-id local/remote Life/Active Time: 86400/15103 sec Rekey Life timeChild sa: local selector 172.16.1.1/0 - 172.16.1.1/65535 Traffic Selector :Tsi/Tsr remote selector 172.17.0.1/0 - 172.17.0.1/65535 ESP spi in/out: 0x80CA7EF9/0x7BB6DEF0 SPI: inbound/outboundR500_spokeA#show cry ikev2 stats-------------------------------------------------------------------------------- Crypto IKEv2 SA Statistics--------------------------------------------------------------------------------System Resource Limit: 0 Max IKEv2 SAs: 0 Max in nego: 1000Total IKEv2 SA Count: 1 active: 1 negotiating: 0Incoming IKEv2 Requests: 0 accepted: 0 rejected: 0Outgoing IKEv2 Requests: 761 accepted: 761 rejected: 0Rejected IKEv2 Requests: 0 rsrc low: 0 SA limit: 0 Incoming / Outgoing IKEv2 RequestIKEv2 packets dropped at dispatch: 0 Rejected /Dropped packetsIncoming IKEV2 Cookie Challenged Requests: 0 accepted: 0 rejected: 0 rejected no cookie: 0 BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
    • Conclusion Both Migration methods provide same result--final outcome of either protocol is the installation of IPSec SA and IPSec protocol is unchanged in either one. Whatever the migration method used , make sure at the end of complete migration , all spokes are using IKEv2. BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
    • DMVPN Best Practice ConfigurationExamples
    • DMVPN Best Practice Configuration Use „mode transport‟ on transform-set NHRP needs for NAT support and saves 20 bytes MTU issues ip mtu 1400 ip tcp adjust-mss 1360 crypto ipsec fragmentation after-encryption (global) NHRP ip nhrp holdtime <seconds>(recommended values 300 - 600) ip nhrp registration no-unique ISAKMP Call Admission Control (CAC) (on spokes and hubs) call admission limit percent (hubs) crypto call admission limit {ike {in-negotiation-sa number | sa number}} Keepalives on spokes (GRE tunnel keepalives are not supported) crypto isakmp keepalive 20 5 Invalid-SPI recovery not useful BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
    • Recommended Releases 6500/7600 with VPN-SPA Sup720 : 12.2(33)SRC6,12.2(33)SRD4,12.2(18)SXF17a for 7600 12.2(33)SXH7, 122(18)SXF17a,12.2(33)SXI3 for 6500 (TCP adjust mss command included) Caveat: Multicast data handling, 6500 Phase 3 is not supported yet, OSPF routing protocol scaling. For ASR- DMVPN Hub or spoke Phase 2(Release 3): 2.4.4 (02.04.04.122-33.XND4) Phase 3(Release 5): 2.6.2 (02.06.02.122-33.XNF2) (Release 7): 3.3.0S (03.03.00.151-2.S) ,3.4.2S (03.04.02.151-3.S2) For 87x, 18xx, 28xx, 38xx, IOS 12.4 Mainline: 12.4(23)b*, 12.4(25)f* IOS 12.4 T-train: 12.4(15)T17, 124(24)T6 IOS 15 Mainline/T-train : 15.0(1)M7 , 15.1(4)M3 , 15.1(3)T3 For 720x(NPE-G2+VSA): IOS 12.4 T-train: IOS 12.4 : 12.4(25)f, IOS 12.4 T-train: 12.4(15)T17 , 12.4(24)T6 IOS 15.0 Mainline : 15.0(1)M7 , 15.1(4)M3a IOS 15 S-train : 15.1(3)S2 For 89x,19xx,29xx,39xx:IOS 15 Mainline/T-train : 15.0(1)M7 , 15.1(4)M3, 15.1(2)T3, 15.2(2)T BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
    • Complete Your OnlineSession Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our Don‟t forget to activate your portal) or visit one of the Internet Cisco Live Virtual account for access to stations throughout the Convention all session material, communities, and on-demand and live activities throughout Center. the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
    • Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscoLive365.com after the event for updated PDFs, on- demand session videos, networking, and more! Follow Cisco Live! using social media: ‒ Facebook: https://www.facebook.com/ciscoliveus ‒ Twitter: https://twitter.com/#!/CiscoLive ‒ LinkedIn Group: http://linkd.in/CiscoLIBRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
    • BRKSEC-3052 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public