Hello everyone,andwelcome backtomy little corner of the Internet. I always take inspiration from what I'm currently working on in my day job when putting together an idea for a post and/or video. Right now, we're building a new data center to host the hands-on lab environments for learners, whether you're training in Cisco U. or taking a course with your favorite Cisco instructor. As youmay know, ALOT goes into building a new data center. But since I'm working on building the IPSEC VPN connections between this new data centerandthe others in our network, let's narrow it downandtake a technical look at IPSEC VPN tunnel creation.
Inthis blog post and the accompanying video, I'll cover the IPSEC VPN tunnel creation process. We'll explore "Phase 1" and "Phase 2" and take a look at how the ACLs that identify "interesting traffic" impact the security associations that are built. We'll even look at the packets involved in the communications as tunnels are set up. If that sounds good to you, continue on, network adventurer!
"Technically Speaking... with Hank Preston" is a segment onThe U. series.
Available on the Cisco U. by Learning and Certifications YouTube Channel. View Playlist
If you're new here, I'm Hank Preston, Principal Engineer on the Labs and Systems team in Cisco Learning and Certifications. I've been building IPSEC VPNs for almost my entire career as a network engineer. Infact, one of my first jobs as a shiny new network engineer was building out IPSEC VPN connections using Cisco PIX firewalls for a Cisco Partner. For me, that meant taking the configuration templates built by the team's more senior engineers and updating them with the details for a particular tunnel creation.
It wasn't a problem... until there was one. You see, I didn't really know what all the commands did back then. So when things didn't work right away, finding the problem and knowing how to fix it was a bit of a mystery to me. Thankfully, there were some very good mentors and senior engineers to guide me.
I had to learn the commands to run to help me determine the problem and how to fix it. It was during these troubleshooting sessions I first learned terms like "Phase 1," "Phase 2," "Main Mode," "Quick Mode," and "Aggressive Mode," as well as the protocols involved, like ISAKMP, IKE, IPSEC. It was a lot of fun, and it was only the beginning.
Over the years, my depth of understanding grew, transforming me into a senior engineer, not unlike those who nurtured my own curiosity. Inaddition to learning on the job, I had to dive deep into IPSEC VPNs to prepare for my Cisco certification exams. Even though I was preparing for now-retired certifications like CCNA Security, CCSP, and "VPN Specialist," IPSEC knowledge is still important to this day.
IPSEC knowledge is critical for real-world applicationsandcurrent Cisco certification exams. Infact, it's listed on the 200-301 CCNA exam topics, which is quite telling since the CCNA certification is the mark of someone who has the foundational knowledge to take their tech career in multiple directions. But that's not all. IPSEC is on the CCNP Enterprise Core Exam, CCNP Security Core Exam, CCNP Security VPN Specialist, CCIE Enterprise Lab Exam, CCIE Security Lab Exam, and probably others. I didn't check.
So when honing in on a topic for this month, my first choice was IPSEC VPNs.IPSEC VPNs is a huge topic, though. I knew I couldn't cover everything in a single short "Technically Speaking..." installment. Infact, I hadn't decided exactly where to focus until I was in the middle of standing up a new tunnel connection between two of our data centers.
There I was, monitoring the tunnel status to ensure everything was healthy, when I found myself on the CLI of one of the firewalls, running commands I'd run thousands of times: "show crypto isakmp sa" and "show crypto ipsec sa." As I verified that each security association for the traffic types had come up and was healthy, I reflected on my early days of building VPNs on PIXs running these same commands and not knowing what I was looking at. And that's when it hit me:this would make an excellent addition to the library.
And here were are. Feel free to use the video above to help you follow what I have outlined below. Alright, adventurers... let's jump in.
Before we start looking at the tunnel creation, we need a network to work with. So, I put together a fairly straightforward 2-site network:
Simple 2-site NetworkSite 1(bottom in the diagram) has two local networks; a YELLOW network and a BLUE network.
Site 2(top in the diagram) has a single local network, the PURPLE network.
Each site is connected to an untrusted WAN by a firewall. The firewall is configured like firewalls often are: to perform NAT/PAT on traffic passing from "inside" to "outside."
Bringing the IPSEC VPN concept into this network, the goal is to create a tunnel between the two firewalls that will allow traffic between the sites to be securely tunneled across the WAN. This would then provide a network path for hosts on Site 1's YELLOW and BLUE networks to reach the hosts on Site 2's PURPLE network.
Just to let you know... the focus of this post is NOT on the configuration required to set up the network or the IPSEC tunnel itself.Instead, we will look at theprocessthat happens to establish and build the connections when relevant traffic arrives at the firewall and initiates the IPSEC process.
If you'd like to see the configurations in this setup, I have posted a CML topology file for this network in the CML Community on GitHub. If you'd like to dive deeper and try some of this exploration yourself, download the file and run it on your CML server.
Just because a VPN is configured on a firewall doesn't mean the tunnel will be established.
Let'stake a look at the access list onSite1-FWthat defines this "interesting traffic."
Site1-FW#show access-lists2svpn_to_site2access-list s2svpn_to_site2; 2 elements; name hash: 0xa681e779access-list s2svpn_to_site2 line 1 extended permit ip object-group SITE1 object-group SITE2 log default (hitcnt=0) 0xb520aee6 access-list s2svpn_to_site2 line 1 extended permit ip192.168.200.0 255.255.255.0 172.16.10.0 255.255.255.0log default (hitcnt=0) 0xfab888fb access-list s2svpn_to_site2 line 1 extended permit ip192.168.100.0 255.255.255.0 172.16.10.0 255.255.255.0log default (hitcnt=0) 0xb7b04209 Site1-FW#show run crypto map | inc matchcrypto map outside_map 1 match address| inc matchcrypto map outside_map 1 match address s2svpn_to_site2
Inthe ACL above, you'll see there is a line that permits traffic from theBLUEnetwork (192.168.200.0/24) to thePURPLEnetwork (172.16.10.0) and a second line that permits traffic from theYELLOWnetwork (192.168.100.0/24) also to thePURPLEnetwork. This ACL is used to MATCH traffic in the crypto map configuration. So when traffic passes through the router that matches this ACL, it will initiate the tunnel bring-up process.
The ACL on Site2-FWlooks very similar to this one. However, the source and destination networks are swapped, withPURPLEbeing the source andBLUE and YELLOWas the destinations in each line.
If we look at the current state of the VPN tunnel, we'll see that there is no ISAKMP or IPSEC security association built yet.
Site1-FW#show crypto isakmp sa There are no IKEv1 SAsThere are no IKEv2 SAsSite1-FW#show crypto ipsec saThere are no ipsec sas
Let's take just a minute to talk about what a "security association" or "sa" is in the context of IPSEC VPNs.
A Security Association (SA)is an established relationship between devices that define the explicit mechanisms that will allow secure communications. AnSAincludes theencryption protocols(such as AES),hashing mechanisms(such as SHA), andDiffie-Hellman Group(such as group-14) used for communications. The two gateway devices building the tunnel negotiate these details during the security association establishment process. Phase 2 SAs, or IPSEC SAs, will also include the local and remote addresses allowed to communicate over the security association.
While we often think of IPSEC VPNs as beingonetunnel, as in a single tunnel between two locations. However, it is more accurate to think of an IPSEC VPN as acollectionof tunnels between two locations, with each security association as its own unique encrypted tunnel. We'll explore this idea a bit more as we explore the establishment of the VPN between the two sites.
And now, the time has come to bring up the VPN. We'll start by sending some interesting traffic from Site1-Host1 in the form of five 100-byte ping packets.
Site1-Host1:~$ping -s 100 -c 5 172.16.10.11PING 172.16.10.11 (172.16.10.11): 100 data bytes108 bytes from 172.16.10.11: seq=1 ttl=42 time=11.127 ms108 bytes from 172.16.10.11: seq=2 ttl=42 time=11.032 ms108 bytes from 172.16.10.11: seq=3 ttl=42 time=12.246 ms108 bytes from 172.16.10.11: seq=4 ttl=42 time=11.046 ms--- 172.16.10.11 ping statistics ---5 packets transmitted, 4 packets received, 20% packet lossround-trip min/avg/max = 11.032/11.362/12.246 ms
Notice in the output above that 5 packets were sent, but only 4 were received? This is because the first packet is lost while the tunnel is established.
Now let's look at the state of the VPN tunnel onSite1-FW-but first, let's begin with the ISAKMP Security Association.
Site1-FW#show crypto isakmp sa There are no IKEv1 SAsIKEv2 SAs:Session-id:85, Status:UP-ACTIVE, IKE count:1, CHILD count:1Tunnel-id Local Remote Status Role18827171510.255.1.2/50010.255.2.2/500 READY INITIATOREncr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/13 secChild sa: local selector 192.168.100.0/0 - 192.168.100.255/65535 remote selector 172.16.10.0/0 - 172.16.10.255/65535 ESP spi in/out: 0xed866a3c/0xb89f38c9
Let's take a moment to understand what this output is telling us:
Now is an excellent time to discuss the Phase 1 and Phase 2 parts of IPSEC VPN tunnels.
Phase 1 refers to the ISAKMP Security Association establishment, while Phase 2 is often considered the IPSEC Security Association. In fact, the command we run to explore the Phase 2 SAs is "show crypto ipsec sa." To be a bit more accurate, Phase 2 is actually the establishment of either the Encapsulating Security Payload (ESP) or Authentication Header (AH) Security Associations. Both Phase 1 and Phase 2 must complete and negotiate their relevant SAs before traffic can flow over the VPN connection.
I know what you are likely thinking...2 phases? Why not just 1?It's a good question, and the details of the "why" are a bit out of scope for this blog post. But I will explain what happens in each Phase and how they are related.
In Phase 1, the IKE (Identity Key Exchange) protocol and ISAKMP are used to set up a control channel between the two VPN endpoints. That control channel is used to create the encryption keys and negotiate details necessary to securely transport data between them. In our example, a preshared key (PSK) is used on both devices for initial identification and authentication of each other. Then, Diffie-Hellman is used to create the actual encryption keys used to secure the communications. With the Phase 1, or ISAKMP, Security Association established, the devices move onto Phase 2.
In Phase 2, the two devices build either ESP or AH Security Associations using keys created and communicated between the devices using the Phase 1 Security Association. Once established, data can now be sent over the Phase 2 SAs between devices.
The ESP and AH protocols have no methods of their own to perform the control steps and negotiations necessary to set up a Security Association; they rely on ISAKMP and IKE to provide that service. And ISAKMP and IKE can't transport data payloads over their SAs. Each "phase" provides essential parts of the complete IPSEC VPN tunnel creation.
The output of "show crypto isakmp sa" listed the "Child SA" and some details of Phase 2, but let's look at all the details of this phase now.
Site1-FW#show crypto ipsec sainterface: outsideCrypto map tag: outside_map, seq num: 1, local addr: 10.255.1.2access-list s2svpn_to_site2 extended permit ip 192.168.100.0 255.255.255.0 172.16.10.0 255.255.255.0 log defaultlocal ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)current_peer: 10.255.2.2#pkts encaps: 4,#pkts encrypt: 4,#pkts digest: 4#pkts decaps: 4,#pkts decrypt: 4,#pkts verify: 4#pkts compressed: 0,#pkts decompressed: 0#pkts not compressed: 4,#pkts comp failed: 0,#pkts decomp failed: 0#pre-frag successes: 0,#pre-frag failures: 0,#fragments created: 0#PMTUs sent: 0,#PMTUs rcvd: 0,#decapsulated frgs needing reassembly: 0#TFC rcvd: 0,#TFC sent: 0#Valid ICMP Errors rcvd: 0,#Invalid ICMP Errors rcvd: 0#send errors: 0,#recv errors: 0local crypto endpt.: 10.255.1.2/500, remote crypto endpt.: 10.255.2.2/500path mtu 1500, ipsec overhead 74(44), media mtu 1500PMTU time remaining (sec): 0, DF policy: copy-dfICMP error validation: disabled, TFC packets: disabledcurrent outbound spi: B89F38C9current inbound spi : ED866A3Cinbound esp sas:spi: 0xED866A3C (3985009212)SA State: activetransform: esp-aes-256 esp-sha-hmac no compressionin use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }slot: 0, conn_id: 165, crypto-map: outside_mapsa timing: remaining key lifetime (kB/sec): (3962879/28775)IV size: 16 bytesreplay detection support: YAnti replay bitmap:0x00000000 0x0000001Foutbound esp sas:spi: 0xB89F38C9 (3097442505)SA State: activetransform: esp-aes-256 esp-sha-hmac no compressionin use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }slot: 0, conn_id: 165, crypto-map: outside_mapsa timing: remaining key lifetime (kB/sec): (3916799/28775)IV size: 16 bytesreplay detection support: YAnti replay bitmap:0x00000000 0x00000001
This output has a lot of detail, which can make it a bit overwhelming. Let's break it down:
Seeing the output of the tunnel establishment on the firewall CLI is nice, but I find I understand the process even better by looking at the packets involved in the communications. And this is one of the reasons I like using Cisco Modeling Labs (CML) when labbing and learning. With CML, you can easily set up a packet capture on any interface in the topology. And it even supports filters to limit and target the traffic I'm interested in seeing.
CML Packet Capture SettingsI set up a packet capture on the interface betweenSite1-FWand the WANrouter, filtered to just ISAKMP (udp/500), ESP (ip/50), and ICMP (ip/1) and started capturing packets before sending the traffic to bring up the tunnel. Then once completed, I downloaded the PCAP file to explore in detail with Wireshark.
The image above shows the packets sent when the 5 pings were sent across the network. You can see the two separate phases quite clearly here just by looking at the Protocol of the communications. My tunnel is configured to use IKEv2, the latest version of IKE, which requires fewer packets to bring up a tunnel than IKEv1. So here we can see that only 4 packets are transmitted between the firewalls before the ESP Security Associations are built and able to send the ICMP traffic. We can't tell that the data in the packets is ICMP because it is encrypted (we built a VPN, after all).
Also, take a look at the SPI values shown in the output for the ESP packets. These match the SPI values we saw in the output from "show crypto ipsec sa."
inbound esp sas:spi: 0xED866A3C (3985009212)..outbound esp sas:spi: 0xB89F38C9 (3097442505)..
We can even see the details of the negotiation between peers by looking at the Initiator Request packet.
With the Security Association Payload of the packet, you can look at the Phase 1 proposal details for the encryption, hashing, and DH group, as well as the Transform Sets available for use in the Phase 2 SAs.
Am I the only one who is alwaysamazedwhen I see packets match what I configured or expect? (Networking really is pretty awesome.)
At this point, the VPN is up, but only one set of "interesting" traffic has been sent so far. So what happens when a host on the BLUE network tries to communicate with the PURPLE network?
To see this in action, we'll send 5 two hundred byte packets fromSite1-Host2 to Site2-Host2.
Site1-Host2:~$ping -c 5 -s 200 172.16.10.21PING 172.16.10.21 (172.16.10.21): 200 data bytes208 bytes from 172.16.10.21: seq=1 ttl=42 time=12.105 ms208 bytes from 172.16.10.21: seq=2 ttl=42 time=10.356 ms208 bytes from 172.16.10.21: seq=3 ttl=42 time=11.046 ms208 bytes from 172.16.10.21: seq=4 ttl=42 time=11.158 ms--- 172.16.10.21 ping statistics ---5 packets transmitted, 4 packets received, 20% packet lossround-trip min/avg/max = 10.356/11.166/12.105 ms
Just like the last time, only 4 of the 5 packets were received. You might be thinking...But Hank, the tunnel is already up... why was a packet lost?"
The tunnel, or Security Association, that is "up" is the one that allows traffic from YELLOW to PURPLE. Traffic from BLUE isdifferent"interesting" traffic, which requires its own Security Association to be created. We can see this new SA by exploring the output of the commands on the firewall.
First up, the "show crypto isakmp sa" command.
Site1-FW#show crypto isakmp saThere are no IKEv1 SAsIKEv2 SAs:Session-id:85, Status:UP-ACTIVE, IKE count:1, CHILD count:2Tunnel-id Local Remote Status Role18827171510.255.1.2/500 10.255.2.2/500 READY INITIATOR Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/66 secChild sa: local selector 192.168.200.0/0 - 192.168.200.255/65535 remote selector 172.16.10.0/0 - 172.16.10.255/65535 ESP spi in/out: 0xc8fce690/0xf34ce0e2 Child sa: local selector 192.168.100.0/0 - 192.168.100.255/65535 remote selector 172.16.10.0/0 - 172.16.10.255/65535 ESP spi in/out: 0xed866a3c/0xb89f38c9
If you scroll up, you can verify that theTunnel-idis the same as the last time we ran the command, showing that the same Phase 1 Security Association is still active and being used. And now we see a second "Child SA" listed. TheYELLOWSA is still listed, and the SPI values are also the same as before. Only now, we have a newBLUESecurity Association with unique SPI values and "local selector" values.
We can also look at the details of the BLUE ESP SA by checking the "show crypto ipsec sa" command. (The command will also show the latest details about the YELLOW SA, but I've deleted that from the output to focus on the new one.)
Site1-FW#show crypto ipsec sa interface: outside.. Crypto map tag: outside_map, seq num: 1, local addr: 10.255.1.2access-list s2svpn_to_site2 extended permit ip 192.168.200.0 255.255.255.0 172.16.10.0 255.255.255.0 log defaultlocal ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0) current_peer: 10.255.2.2#pkts encaps: 4,#pkts encrypt: 4,#pkts digest: 4#pkts decaps: 4,#pkts decrypt: 4,#pkts verify: 4#pkts compressed: 0,#pkts decompressed: 0#pkts not compressed: 4,#pkts comp failed: 0,#pkts decomp failed: 0#pre-frag successes: 0,#pre-frag failures: 0,#fragments created: 0#PMTUs sent: 0,#PMTUs rcvd: 0,#decapsulated frgs needing reassembly: 0#TFC rcvd: 0,#TFC sent: 0#Valid ICMP Errors rcvd: 0,#Invalid ICMP Errors rcvd: 0#send errors: 0,#recv errors: 0local crypto endpt.: 10.255.1.2/500, remote crypto endpt.: 10.255.2.2/500 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: F34CE0E2 current inbound spi : C8FCE690inbound esp sas: spi: 0xC8FCE690 (3372017296) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, } slot: 0, conn_id: 165, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4239359/28783) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x0000001F outbound esp sas: spi: 0xF34CE0E2 (4081901794) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, } slot: 0, conn_id: 165, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4008959/28782) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001
We'll end this look at IPSEC tunnel creation with one more look at how the packets behave when an additional set of "interesting traffic" triggers the creation of a new Security Association between devices that already have a relationship built.
This packet capture shows that the Phase 1 process differs when adding an additional "child security association." The ISAKMP message "CREATE_CHILD_SA" is used to use to negotiate the details for the new ESP Security Association. That happens with a single pair of packets, and then the Phase 2 ESP Security Association is available to transmit the ICMP traffic.
That brings us to the end of this look at IPSEC VPN tunnel creation. So let's update the network diagram we started with to be a little more "accurate" with what we've learned.
IPSEC Security AssociationsI hope this look at IPSEC has helped you understand this core network technology a little better. Whether you are actively studying for a certification or working with IPSEC VPNs as part of your "day job," a deeper understanding of what happens when a tunnel is being built is often vital. (Particularly when a tunnel isn't coming up when you expect it to.)
If you'd like to dive deeper into IPSEC VPNs, here are a few handy links that can be useful:
Follow Cisco Learning & Certifications
Twitter?|?Facebook?|?LinkedIn?|?Instagram?|?YouTube|?Facebook?|?LinkedIn?|?Instagram?|?YouTube
Use#CiscoU and #CiscoCert?to join the conversation.