Sie sind auf Seite 1von 26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

AnIntroductiontoIPSecurity(IPSec)Encryption
Updated: May19,2008

Contents
Introduction
Prerequisites
Requirements
ComponentsUsed
Conventions

Background
CryptoLingo(Vocabulary)
ConfigureISAKMP
1.PreSharedKeys
2.UseaCA

ConfigureIPsec
CreateExtendedACL
CreateIPsecTransform(s)
CreateCryptoMap
ApplyCryptoMaptoInterface

MemoryandCPUConsiderations
OutputfromshowCommands
IKERelatedOutput
IPsecRelatedshowCommands

SampleConfigurations
NetworkDiagram
Configurations

DebugInformation
ImplementationTipsforIPsec
HelpandRelevantLinks
IPsecInformation
MoreSampleConfigurationsforIPsec

References
RelatedInformation

Introduction
ThisdocumentintroducesIPsectousersinarapid,butconciseformat.Thisdocumentcontainsbasic
configurationsofInternetKeyExchange(IKE)withpresharedkeys,IKEwithaCertificationAuthority,andIPsec.
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

1/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

Thisisnotanexhaustivedocument.But,thisdocumentdoeshelpyoutounderstandthetasksandtheorderin
whichtheyareaccomplished.

Warning:Therearesevererestrictionsontheexportofstrongcryptography.IfyouviolateU.S.Federal
Law,thenyou,notCisco,areheldaccountable.Ifyouhaveanyquestionsrelatedtoexportcontrol,sendandE
mailtoexport@cisco.com.
Note:MulticastandBroadcastarenotsupportedonnormalLANtoLANtunnelsoronVPNclientsthatterminate
onanydevices.MulticastcanbepassedonlyonGREtunnels.ThisissupportedonlyonroutersandnotonVPN
3000Concentratorsorfirewalls(ASA/PIX).

Prerequisites
Requirements
Therearenospecificrequirementsforthisdocument.

ComponentsUsed
Thisdocumentisnotrestrictedtospecificsoftwareandhardwareversions.

Conventions
RefertoCiscoTechnicalTipsConventionsformoreinformationondocumentconventions.

Background
IPsecisthenextgenerationnetworklayercryptoplatformfortheCiscosecurityplatforms(CiscoIOSSoftware,
PIX,andsoforth).OriginallydescribedinRFCs1825through1829,whicharenowobsolete,IPseciscurrently
discussedinanumberofdocumentspresentedbytheIETFIPSecurityWorkingGroup .IPseccurrently
supportsIPversion4unicastpackets.IPv6andmulticastsupportistoarriveatalatertime.
IPsechasthesestrengthsovercurrentCiscocryptoofferings:
MultivendorSincetheIPsecframeworkisstandardized,customersarenotlockedintoanyspecificvendor
product.IPsecisfoundonrouters,firewalls,andclientdesktops(Windows,Mac,andsoforth).
ScalabilityIPsecisdesignedwithlargeenterprisesinmind.Therefore,ithasbuiltinkeymanagement.
Note:WhileseveralCiscoplatformscanuseIPsec,thisdocumentisgearedtowardsCiscoIOSsoftware.

CryptoLingo(Vocabulary)
YouneedtoknowthesetermsinordertounderstandIPsec,andtoreadtherestofthisdocument.Whenyousee
acronymsinotherportionsofthisdocument,refertothispagefordefinitions.
AdvancedEncryptionStandard(AES)AESwasfinalizedasaFederalInformationProcessingStandard
(FIPS)approvedcryptographicalgorithmtobeusedinordertoprotectelectronicdatatransmission(FIPSPUB
197).AESisbasedontheRijndaelalgorithm,whichspecifieshowtousekeyswithalengthof128,192,or256
bitstoencryptblockswithalengthof128,192,or256bits.Allninecombinationsofkeylengthandblocklength
arepossible.
AuthenticationHeader(AH)Thisisasecurityprotocolthatprovidesauthenticationandoptionalreplay
detectionservices.AHisembeddedinthedatatobeprotected,forexample,afullIPdatagram.AHcanbeused
eitherbyitselforwithEncryptionServicePayload(ESP).RefertotheRFC2402 .
AuthenticationThisisoneofthefunctionsoftheIPsecframework.Authenticationestablishestheintegrityof
datastreamandensuresthatitisnottamperedwithintransit.Italsoprovidesconfirmationaboutdatastream
origin.
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

2/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

CertificationAuthority(CA)Thisisathirdpartyentitywiththeresponsibilitytoissueandrevokecertificates.
EachdevicethathasitsowncertificateandpublickeyoftheCAcanauthenticateeveryotherdevicewithina
givenCAdomain.Thistermalsoappliestoserversoftwarethatprovidestheseservices.
CertificateAcryptographicallysignedobjectthatcontainsanidentityandapublickeyassociatedwiththis
identity.
ClassiccryptoThisisCiscoproprietaryencryptionmechanismusedinCiscoIOSSoftwareRelease11.2.
ClassiccryptoisavailableinCiscoIOSSoftwareRelease11.3.But,IPsecisnotretrofittedtoCiscoIOS
SoftwareRelease11.2.YoucanalsoseethenameclassiccryptoreferredtoasEncryptionExpressorCisco
EncryptionTechnology(CET)inthemarketingliterature.
CertificateRevocationList(CRL)Thisisadigitallysignedmessagethatlistsallofthecurrentbutrevoked
certificateslistedbyagivenCA.Thisisanalogoustoabookofstolenchargecardnumbersthatallowstoresto
rejectbadcreditcards.
CryptomapThisisaCiscoIOSsoftwareconfigurationentitythatperformstwoprimaryfunctions.First,it
selectsdataflowsthatneedsecurityprocessing.Second,itdefinesthepolicyfortheseflowsandthecryptopeer
thattrafficneedstogoto.
Acryptomapisappliedtoaninterface.Theconceptofacryptomapwasintroducedinclassiccryptobutwas
expandedforIPsec.
DataintegrityThisisdataintegritymechanisms,throughtheuseofsecretkeybasedorpublickeybased
algorithms,thatallowtherecipientofapieceofprotecteddatainordertoverifythatthedatahasnotbeen
modifiedintransit.
DataconfidentialityThisisthemethodwhereprotecteddataismanipulatedsothatnoattackercanreadit.
Thisiscommonlyprovidedbydataencryptionandkeysthatareonlyavailabletothepartiesinvolvedinthe
communication.
DataoriginauthenticationThisisasecurityservicewherethereceivercanverifythatprotecteddatamight
haveoriginatedonlyfromthesender.Thisservicerequiresadataintegrityserviceplusakeydistribution
mechanism,whereasecretkeyissharedonlybetweenthesenderandreceiver.
DataEncryptionStandard(DES)TheDESwaspublishedin1977bytheNationalBureauofStandardsandisa
secretkeyencryptionschemebasedontheLuciferalgorithmfromIBM.ThecontrastofDESispublickey.Cisco
usesDESinclassiccrypto(40bitand56bitkeylengths),IPseccrypto(56bitkey),andonthePIXFirewall(56
bitkey).
DiffieHellmanThisisamethodoftheestablishmentofasharedkeyoveraninsecuremedium.DiffieHellman
isacomponentofOakley,whichisdefinedinthisdefinitionlist.
DSSAdigitalsignaturealgorithmdesignedbyTheUSNationalInstituteofStandardsandTechnology(NIST)
basedonpublickeycryptography.DSSdoesnotdouserdatagramencryption.DSSisacomponentinclassic
crypto,aswellastheRedcreekIPseccard,butnotinIPsecimplementedinCiscoIOSsoftware.
EncryptionServiceAdapter(ESA)Thisisahardwarebasedencryptionacceleratorthatisusedin:
Cisco7204and7206routers
SecondgenerationVersatileInterfaceProcessor240s(VIP240s)inallCisco7500seriesrouters
VIP240intheCisco7000seriesroutersthathavetheCisco7000seriesRouteSwitchProcessor(RSP7000)
andCisco7000seriesChassisInterface(RSP7000CI)cardsinstalled.
IPsecdoesnotusetheESAacceleration,butitdoesworkinaboxthathasanESAcardonasoftwareonly
basis.
EncapsulatingSecurityPayload(ESP)Asecurityprotocolthatprovidesdataconfidentialityandprotection
withoptionalauthenticationandreplaydetectionservices.ESPcompletelyencapsulatesuserdata.ESPcanbe
usedeitherbyitselforinconjunctionwithAH.RefertoRFC2406:IPEncapsulatingSecurityPayload(ESP) .
HashThisisaonewayfunctionthattakesaninputmessageofarbitrarylengthandproducesafixedlength
digest.CiscousesbothSecureHashAlgorithm(SHA)andMessageDigest5(MD5)hasheswithinour
implementationoftheIPsecframework.SeethedefinitionforHMACformoreinformation.
HMACThisisamechanismformessageauthenticationthatusescryptographichashessuchasSHAandMD5.
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

3/26

12/9/2015

RefertoRFC2104

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

foranexhaustivediscussionofHMAC.

InternetKeyExchange(IKE)AhybridprotocolthatusespartOakleyandpartofanotherprotocolsuitecalled
SKEMEinsidetheInternetSecurityAssociationandKeyManagementProtocol(ISAKMP)framework.IKEis
usedtoestablishasharedsecuritypolicyandauthenticatedkeysforservices,suchasIPsec,thatrequirekeys.
BeforeanyIPsectrafficcanbepassed,eachrouter/firewall/hostmustbeabletoverifytheidentityofitspeer.
Manuallyenterpresharedkeysintobothhosts,byaCAservice,ortheforthcomingsecureDNS(DNSSec)in
ordertodothis.ThisistheprotocolformerlyknownasISAKMP/Oakley,andisdefinedinRFC2409:TheInternet
KeyExchange(IKE) .ApotentialpointofconfusionisthattheacronymsISAKMPandIKEarebothusedin
CiscoIOSsoftwareinordertorefertothesamething.Thesetwoitemsaresomewhatdifferent.
InternetSecurityAssociationandKeyManagementProtocol(ISAKMP)Thisisaprotocolframeworkthat
definesthemechanicsoftheimplementationofakeyexchangeprotocolandnegotiationofasecuritypolicy.
ISAKMPisdefinedintheInternetSecurityAssociationandKeyManagementProtocol(ISAKMP).
IPsecNATTransparencyTheIPsecNATTransparencyfeatureintroducessupportforIPSecurity(IPsec)
traffictotravelthroughNetworkAddressTranslation(NAT)orPointAddressTranslation(PAT)pointsinthe
networkbyaddressingmanyknownincompatibilitiesbetweenNATandIPsec.NATTraversalisafeaturethatis
autodetectedbyVPNdevices.TherearenoconfigurationstepsforarouterthatrunsCiscoIOSSoftware
Release12.2(13)Tandlater.IfbothVPNdevicesareNATTcapable,NATTraversalisautodetectedandauto
negotiated.
ISAKMP/OakleySeeIKE.
MessageDigest5(MD5)Thisisaonewayhashingalgorithmthatproducesa128bithash.BothMD5and
SecureHashAlgorithm(SHA)arevariationsonMD4,whichisdesignedtostrengthenthesecurityofthishashing
algorithm.SHAismoresecurethanMD4andMD5.CiscouseshashesforauthenticationwithintheIPsec
framework.
OakleyThisisakeyexchangeprotocolthatdefineshowtoacquireauthenticatedkeyingmaterial.Thebasic
mechanismforOakleyistheDiffieHellmankeyexchangealgorithm.YoucanfindthestandardinRFC2412:The
OAKLEYKeyDeterminationProtocol .
PerfectForwardSecrecy(PFS)PFSensuresthatagivenIPsecSAkeywasnotderivedfromanyother
secret,likesomeotherkeys.Inotherwords,ifsomeonebreaksakey,PFSensuresthattheattackerisnotable
toderiveanyotherkey.IfPFSisnotenabled,someonecanpotentiallybreaktheIKESAsecretkey,copyallthe
IPsecprotecteddata,andthenuseknowledgeoftheIKESAsecretinordertocompromisetheIPsecSAssetup
bythisIKESA.WithPFS,breakingIKEdoesnotgiveanattackerimmediateaccesstoIPsec.Theattacker
needstobreakeachIPsecSAindividually.TheCiscoIOSIPsecimplementationusesPFSgroup1(DH768bit)
bydefault.
ReplaydetectionThisisasecurityservicewherethereceivercanrejectoldorduplicatepacketsinorderto
defeatreplayattacks.Replayattacksrelyontheattackertosendoutolderorduplicatepacketstothereceiver
andthereceivertothinkthatthebogustrafficislegitimate.Replaydetectionisdonebytheuseofsequence
numberscombinedwithauthentication,andisastandardfeatureofIPsec.
RSAThisisapublickeycryptographicalgorithm,namedafteritsinventors,Rivest,ShamirandAdleman,witha
variablekeylength.ThemainweaknessofRSAisthatitissignificantlyslowtocomputecomparedtopopular
secretkeyalgorithms,suchasDES.CiscoIKEimplementationusesaDiffieHellmanexchangeinordertoget
thesecretkeys.ThisexchangecanbeauthenticatedwithRSA,orpresharedkeys.WiththeDiffieHellman
exchange,theDESkeynevercrossesthenetwork,noteveninencryptedform,whichisnotthecasewiththe
RSAencryptandsigntechnique.RSAisnotapublicdomain,andmustbelicensedfromRSADataSecurity.
SecurityAssociation(SA)Thisisaninstanceofsecuritypolicyandkeyingmaterialappliedtoadataflow.
BothIKEandIPsecuseSAs,althoughSAsareindependentofoneanother.IPsecSAsareunidirectionaland
theyareuniqueineachsecurityprotocol.AsetofSAsareneededforaprotecteddatapipe,oneperdirectionper
protocol.Forexample,ifyouhaveapipethatsupportsESPbetweenpeers,oneESPSAisrequiredforeach
direction.SAsareuniquelyidentifiedbydestination(IPsecendpoint)address,securityprotocol(AHorESP),and
securityparameterindex(SPI).
IKEnegotiatesandestablishesSAsonbehalfofIPsec.AusercanalsoestablishIPsecSAsmanually.
AnIKESAisusedbyIKEonly.UnliketheIPsecSA,itisbidirectional.
SecureHashAlgorithm(SHA)ThisisaonewayhashputforthbyNIST.SHAiscloselymodeledafterMD4
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

4/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

andproducesa160bitdigest.BecauseSHAproducesa160bitdigest,itismoreresistanttobruteforceattacks
than128bithashes(suchasMD5),butitisslower.
SplitTunnelingThisistheprocessofallowingaremoteVPNuserinordertoaccessapublicnetwork,most
commonlytheInternet,atthesametimethattheuserisallowedtoaccessresourcesattheremoteoffice.This
methodofnetworkaccessenablestheusertoaccessremotedevices,suchasanetworkedprinterandservers
atthesametimeastoaccessthepublicnetwork(Internet).Anadvantageoftheuseofsplittunnelingisthatit
alleviatesbottlenecksandconservesbandwidthasInternettrafficdoesnothavetopassthroughtheVPNserver.
AdisadvantageofthismethodisthatitessentiallyrenderstheVPNvulnerabletoattackasitisaccessible
throughthepublic,nonsecurenetwork.
TransformAtransformdescribesasecurityprotocol(AHorESP)withitscorrespondingalgorithms.For
example,ESPwiththeDEScipheralgorithmandHMACSHAforauthentication.
TransportModeThisisanencapsulationmodeforAH/ESP.TransportModeencapsulatestheupperlayer
payload,suchasTransmissionControlProtocol(TCP)orUserDatagramProtocol(UDP),oftheoriginalIP
datagram.Thismodecanonlybeusedwhenthepeersaretheendpointsofthecommunication.Thecontrastof
TransportModeisTunnelMode.
TunnelModeThisistheencapsulationofthecompleteIPDatagramforIPsec.TunnelModeisusedonorder
toprotectdatagramssourcedfromordestinedtononIPsecsystems,suchasinaVirtualPrivateNetwork(VPN)
scenario.

ConfigureISAKMP
IKEexistsonlytoestablishSAsforIPsec.Beforeitcandothis,IKEmustnegotiateanSA(anISAKMPSA)
relationshipwiththepeer.SinceIKEnegotiatesitsownpolicy,itispossibletoconfiguremultiplepolicy
statementswithdifferentconfigurationstatements,thenletthetwohostscometoanagreement.ISAKMP
negotiates:
AnEncryptionAlgorithmThisislimitedto56bitDESonly.
AHashingAlgorithmMD5orSHA
AuthenticationRSAsignatures,RSAEncryptednonces(randomnumbers),orpresharedkeys
LifetimeoftheSAInseconds
Currently,therearetwomethodsusedinordertoconfigureISAKMP:
Usepresharedkeys,whicharesimpletoconfigure.
UseaCA,whichisscalablethroughouttheEnterprise.
Note:IKEnegotiationisdoneonUDP500.IPsecusesIPprotocols50and51.Makesurethesearepermittedon
anyaccesslistsyouhavebetweenthepeers.

1.PreSharedKeys
ThisisthequickanddirtymethodusedinordertoconfigureIKE.WhiletheIKEconfigurationissimpleandyou
donotuseaCA,itdoesnotscaleverywell.
YouneedtodotheseinordertoconfigureIKE:
ConfigureISAKMPprotectionsuite(s).
ConfigureISAKMPkey.

ConfigureISAKMPProtectionSuite(s)
ThiscommandcreatestheISAKMPpolicyobject.Itispossibletohavemultiplepolicies,butthereisonlyonein
thisexample:
dt345a(config)#cryptoisakmppolicy1
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

5/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

dt345a(configisakmp)#

Withthegroupcommand,youcandeclarewhatsizemodulustouseforDiffieHellmancalculation.Group1is
768bitslong,andgroup2is1024bitslong.Whywouldyouuseoneovertheother?Notallvendorssupportgroup
2.Also,group2isalsosignificantlymoreCPUintensivethangroupone.Forthisreason,youdonotwanttouse
group2onlowendroutersliketheCisco2500seriesorless.But,group2ismoresecurethangroup1.Since
thisexampleusesaCisco4500,group2isused,andmakesurethepeerisalsoconfiguredinordertousegroup
2.Thedefaultisgroup1.Ifyouselectthedefaultproperties,thegroup1linesdonotshowupwhenyoudoa
writeterminalcommand.
dt345a(configisakmp)#group2

MD5isourhashingalgorithminthisline.WhiletheimplementationofSHAandMD5arebothmandatory,notall
peerscanbeconfiguredinordertonegotiateoneortheother.ThedefaultinCiscoIOSisSHA,whichismore
securethanMD5.
dt345a(configisakmp)#hashmd5

ThelifetimeoftheSA,500secondsinthiscase,isshowninthiscommand.Ifyoudonotsetalifetime,it
defaultsto86400seconds,oroneday.Whenthelifetimetimerfires,theSAisrenegotiatedasasecurity
measure.
dt345a(configisakmp)#lifetime500

Inthiscommand,IKEismanuallytoldwhatkeytouse.Therefore,thepresharecommandisused.Twooptions
besidesthepresharecommandarethersaencrandthersasigcommands.Thersaencrcommandconfigures
RSAEncryptednoncesandthersasigcommandconfiguresRSASignature.Thersaencrandthersasig
commandsareaddressedintheUseaCAsection.Fornow,rememberthatrsasigisthedefault.
dt345a(configisakmp)#authenticationpreshare

ConfigureISAKMPkey
Inthesecommands,IKEistoldwhatkeytouse.Thepeer,192.168.10.38inthiscase,musthavethesamekey
SlurpeeMachineinitsconfiguration.
dt345a(configisakmp)#exit
dt345a(config)#cryptoisakmpkeySlurpeeMachineaddress192.168.10.38

YouarenowdonewithIKEconfiguration.TheselinesaretheIKEconfigurationofthepeer.Thecomplete
configurationsforbothroutersareintheSampleConfigurationssectionofthisdocument:
cryptoisakmppolicy1
hashmd5
group2
authenticationpreshare
cryptoisakmpkeySlurpeeMachineaddress192.168.10.66

2.UseaCA
TheuseofaCAisacomplexmethodusedinordertoconfigureIKE.SinceitisveryscalableinIPsec,youneed
touseIPsecinsteadofclassiccrypto.WhenCiscoIOSSoftwareRelease11.3(3)isreleased,thereareonly
goingtobeafewCAvendorsthatshipproduct.Initially,mostconfigurationsaredonewiththeuseofpreshared
keys.VeriSign,Entrust,MicrosoftandNetscape,andprobablyahostofothers,areworkingonCAproducts.For
thisexample,aVeriSignCAisused.
YouneedtodotheseinordertouseaCA:
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

6/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

CreateRSAkeypair(s)fortherouter.
RequestCAcertificate.
Enrollcertificatesfortheclientrouter.
ConfigureISAKMPprotectionsuite(s).

CreateRSAKeyPairsfortheRouter
Thecryptokeygenrsausagekeyscommandcanconfuseyou.ThiscommandcreatestwokeypairsforRSA:
onekeypairforencryption
onekeypairfordigitalsignatures
Akeypairreferstoapublickeyanditscorrespondingsecretkey.Ifyoudonotspecifyusagekeysattheendof
thecommand,theroutergeneratesonlyoneRSAkeypairandusesitforbothencryptionanddigitalsignatures.
Asawarning,thatthiscommandcanbeusedinordertocreateDSSkeys.ButDSSisapartofclassiccrypto,
notIPsec.
dt345a(config)#cryptokeygenrsausagekeys
Thenameforthekeyswillbe:dt345a.cisco.com
%YoualreadyhaveRSAkeysdefinedfordt345a.cisco.com.
%Doyoureallywanttoreplacethem?[yes/no]yes

SincesomeRSAkeysalreadyexistonthisbox,itasksifyouwanttogetridofthekeysthatexist.Sincethe
answerisyes,confirmthecommand.Thispromptisreturned:
Choosethesizeofthekeymodulusintherangeof
360to2048foryourSignaturekeys.
Choosingakeymodulusgreaterthan512maytakeafewminutes.
Howmanybitsinthemodulus[512]:<return>
GeneratingRSAkeys...
[OK]
Choosethesizeofthekeymodulusintherangeof
360to2048foryourEncryptionkeys.
Choosingakeymodulusgreaterthan512maytakeafewminutes.
Howmanybitsinthemodulus[512]:<return>
GeneratingRSAkeys...
[OK]
dt345a(config)#

TheRSAkeypairswiththedefault512bitmodulusarenowcreated.Exitoutofconfigmodeandenterashow
cryptokeymypubkeyrsacommand.YoucannowseeyourRSApublickey(s).Theprivatekeyportionofthe
keypairisneverseen.Evenifyoudonothavepreexistingkeys,youseethesamethingfrompreviously.
Note:Remembertosaveyourconfigurationonceyouhavegeneratedyourkeypairs.

RequestaCACertificate
YounowneedtoconfiguretherouterinordertotalktoaCA.Thisinvolvesseveralsteps.Youneedtoeventually
coordinatewithyourCAadministrator.
Intheseconfigurationlines,adomainnameisaddedtotherouter.Thiscreatesahostnameciscocaultra,and
tellstherouterwhatitsIPaddressis,andthenameservers.Youneedtohaveeitherhostnamesdefinedforthe
CAoraDNSthatworksonthebox.CiscorecommendsthatyouhaveaDNSthatworksonthebox.
dt345a(config)#iphostciscocaultra171.69.54.46
dt345a(config)#ipdomainnamecisco.com
dt345a(config)#ipnameserver171.692.132
dt345a(config)#ipnameserver198.92.30.32
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

7/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

StarttoconfiguretheCAparameters.verisigncaisjustanarbitraryname.
dt345a(config)#cryptocaidentityverisignca
dt345a(caidentity)#

Inthisoutput,theCiscoenrollmentprotocolusesHTTPinordertotalktotheCA.Thedt345a(ca
identity)#enrollmenturlhttp://ciscocaultracommandtellstheroutertogotothespecifiedURLinorderto
interactwiththeCA.Thedt345a(caidentity)#cryptocaauthenticateverisigncacommandinstructstherouter
tofetchthecertificateoftheCA.BeforeyoucanenrollintheCA,youneedtomakesureyoutalktotherealCA.
VerifythecertificateoftheCAwiththeCAadministratorinordertoensureauthenticity.
dt345a(caidentity)#enrollmenturlhttp://ciscocaultra
dt345a(caidentity)#exit
dt345a(caidentity)#cryptocaauthenticateverisignca

EnrollCertificatesfortheClientRouter
IssuethecryptocaenrollverisigncacommandinordertobeginenrollmentwiththeCA.Thereareseveral
stepstothis.First,youhavetoverifytheidentityoftheCA,thentheCAhastoverifytheidentityoftherouter.If
youeverneedtorevokeyourcertificatebeforeitexpires,ifyourenumbertheinterfacesofyourrouterorifyou
believethatyourcertificateiscompromised,youneedtoprovideapasswordtotheCAadministrator.Enterthat,
asisillustratedinthisoutput.Afteryouenteryourpassword,theroutercontinues.
dt345a(config)#cryptocaenrollverisignca
%Startcertificateenrollment..
%Createachallengepassword.Youwillneedtoverballyprovidethispassword
totheCAAdministratorinordertorevokeyourcertificate.
Forsecurityreasonsyourpasswordwillnotbesavedintheconfiguration.
Pleasemakeanoteofit.
Password:
Reenterpassword:

Younowseethefingerprint(s)fromtheCA.Verifythatthefingerprint(s)arecorrectwiththeCAadministrator.In
addition,ifyoudoashowcryptocacertcommand,youseetheCAcertificate(s),inadditiontoyourown
certificates.TheCAcertificatesarelistedaspendingatthistime.
%Thesubjectnameforthekeyswillbe:dt345a.cisco.com
%Includetherouterserialnumberinthesubjectname?[yes/no]:yes
%Theserialnumberinthecertificatewillbe:01204044
%IncludeanIPaddressinthesubjectname?[yes/no]:yes
Interface:Ethernet0
RequestcertificatefromCA?[yes/no]:yes

ContacttheCAadministratorbecausethispersonwantstoconfirmtheidentityofthehosebeforeacertificateis
issued.OncetheCAissuesthecertificate,thestatusofourcertificatechangesfrompendingtoavailable.With
this,CAenrollmentiscomplete.But,youarenotdone.YoustillneedtoconfigureISAKMPpolicyobject(s).

ConfigureISAKMPProtectionSuite(s)
Thersasigdefaultisusedinthisoutput.Youcanhavemultipleprotectionsuite(s),butthereisonlyoneinthis
example.Intheeventofmultipleprotectionsuites,thepoliciesarepresentedtothepeerinnumericalorderand
thepeernegotiateswhichonetouse.Youneedtodothisifyouknowthatallofyourpeersdonotsupportcertain
features.Therouterdoesnotattempttonegotiatethingsthatdonotmakesense.Forexample,ifyouconfigure
yourpolicyforrsasigandyouhavenocertificate,therouterdoesnotnegotiatethis.
dt345a(config)#cryptoisakmppolicy1
dt345a(configisakmp)#hashmd5
dt345a(configisakmp)#lifetime4000
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

8/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

dt345a(configisakmp)#exit

ConfigureIPsec
WhetheryouusepresharedkeysorconfigureaCA,onceyousetupInternetKeyExchangeIKE,youstillhaveto
setupIPsec.RegardlessofwhichIKEmethodyouuse,theconfigurationstepsforIPsecarethesame.
YouneedtodotheseinordertoconfigureIPsec:
CreateextendedACL.
CreateIPsectransform(s).
Createcryptomap.
Applycryptomaptotheinterface.

CreateExtendedACL
ThiscommandisaverysimpleACLthatallowstherouterstotalktooneanother,forexample,aTelnetfromone
routertothenext.
dt345a(config)#accesslist101permitiphost192.168.10.38
host192.168.10.66

AmorerealisticACLlookslikethiscommand.ThiscommandisanordinaryextendedACL,where192.168.3.0is
asubnetbehindtherouterinquestion,and10.3.2.0isasubnetsomewherebehindthepeerrouter.Remember
thatpermitmeansencryptanddenymeansdonotencrypt.
dt345a(config)#accesslist101permitip192.168.3.00.0.0.255
10.3.2.00.0.0.255

CreateIPsecTransform(s)
Createthreetransformsets.ThefirstoneusesESPonly,thesecondoneusesAHcombinedwithESP,andthe
lastoneusesonlyAH.DuringIPsecSAnegotiation,allthreeareofferedtothepeer,whichchoosesone.Also,
forallthreetransformsets,usethedefaulttunnelmode.Transportmodecanbeusedonlywhenthecrypto
endpointsarealsotheendpointsofthecommunication.Transpotmodecanbespecifiedbythemodetransport
commandunderthetransformsetconfiguration.TunnelmodeisusedprimarilyfortheVPNscenario.Alsonote
thatesprfc1829andahrfc1828arebasedontheoriginalRFCsforthistechnologyandareobsoletetransforms
includedforbackwardscompatibility.Notallvendorssupportthesetransforms,butothervendorssupportonly
thesetransforms.
Thetransformsetsinthesecommandsarenotnecessarilythemostpractical.Forexample,bothPapaBearand
BabyBearhavesubstandardtransformsets.Useesprfc1829andahrfc1828togetherinthesametransform
set.
dt345a(config)#cryptoipsectransformsetPapaBearesprfc1829
dt345a(cfgcryptotrans)#exit
dt345a(config)#cryptoipsectransformsetMamaBearahmd5hmacespdes
dt345a(cfgcryptotrans)#exit
dt345a(config)#cryptoipsectransformsetBabyBearahrfc1828
dt345a(cfgcryptotrans)#exit
dt345a(config)#

CreateCryptoMap
TheipsecisakmptagtellstherouterthatthiscryptomapisanIPseccryptomap.Althoughthereisonlyone
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

9/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

peerdeclaredinthiscryptomap,youcanhavemultiplepeerswithinagivencryptomap.Thesessionkey
lifetimecanbeexpressedineitherkilobytes(afterxamountoftraffic,changethekey)orseconds,asisshown
inthesecommands.Thegoalofthisistomaketheeffortsofapotentialattackermoredifficult.Theset
transformsetcommandiswhereyouassociatethetransformswiththecryptomap.Inaddition,theorderin
whichyoudeclarethetransformsissignificant.MamaBearismorepreferredinthisconfiguration,andthenthe
restindescendingorderofpreferencethroughtoBabyBear.Thematchaddress101commandmeanstouse
accesslist101inordertodeterminewhichtrafficisrelevant.Youcanhavemultiplecryptomapswiththesame
name,whichisarmadillo,inthisexample,anddifferentsequencenumbers,whichis10,inthisexample.The
combinationofmultiplecryptomapsanddifferentsequencenumbersallowsyoutomixandmatchclassiccrypto
andIPsec.YoucanalsomodifyyourPFSconfigurationhere.PFSgroup1isthedefaultinthisexample.Youcan
changethePFStogroup2,orturnitoffalltogether,whichyoushouldnotdo.
dt345a(config)#cryptomaparmadillo10ipsecisakmp
dt345a(configcryptomap)#setpeer192.168.10.38
dt345a(configcryptomap)#setsessionkeylifetimeseconds4000
dt345a(configcryptomap)#settransformsetMamaBearPapaBearBabyBear
dt345a(configcryptomap)#matchaddress101

ApplyCryptoMaptoInterface
Thesecommandsapplythecryptomaptotheinterface.Youcanassignonlyonecryptomapsettoaninterface.
Ifmultiplecryptomapentrieshavethesamemapnamebutadifferentseqnum,theyarepartofthesameset
andareallappliedtotheinterface.Thesecurityapplianceevaluatesthecryptomapentrywiththelowestseq
numfirst.
dt345a(config)#interfacee0
dt345a(configif)#cryptomaparmadillo

MemoryandCPUConsiderations
PacketsthatareprocessedbyIPsecareslowerthanpacketsthatareprocessedthroughclassiccrypto.There
areseveralreasonsforthisandtheymightcausesignificantperformanceproblems:
IPsecintroducespacketexpansion,whichismorelikelytorequirefragmentationandthecorresponding
reassemblyofIPsecdatagrams.
Encryptedpacketsareprobablyauthenticated,whichmeansthattherearetwocryptographicoperationsthat
areperformedforeverypacket.
Theauthenticationalgorithmsareslow,althoughworkhasbeendonetospeedupthingsastheDiffieHellman
computations.
Inaddition,theDiffieHellmankeyexchangeusedinIKEisanexponentiationofverylargenumbers(between768
and1024bytes)andcantakeuptofoursecondsonaCisco2500.PerformanceofRSAisdependentonthesize
oftheprimenumberchosenfortheRSAkeypair.
Foreachrouter,theSAdatabasetakesupapproximately300bytes,plus120bytesforeverySAtherein.In
situationswheretherearetwoIPsecSAs,oneinboundandoneoutbound,540bytesarerequired,inmostcases.
EachIKESAentryisapproximately64byteseach.TheonlytimeyouhaveoneIPsecSAforadataflowiswhen
thecommunicationisoneway.
IPsecandIKEimpactsperformancewhenactive.DiffieHellmankeyexchanges,publickeyauthentication,and
encryption/decryptionconsumeasignificantamountofresources.Although,muchefforthasbeenmadeinorder
tominimizethisimpact.
Thereisasmalldecreaseinperformancefornonencryptedpacketsthatgothroughaninterfacethatdoescrypto.
Thisisbecauseallpacketshavetobecheckedagainstthecryptomap.Thereisnoperformanceimpacton
packetsthattraversetherouterthatavoidaninterfacethatdoescrypto.Thebiggestimpactisontheencrypted
dataflows.
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

10/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

UseGroup1forDiffieHellmankeyexchangeswithinIKE,useMD5asyourhashingalgorithm,anduselonger
lifetimesinordertominimizetheimpactofthecryptosubsystemontherestoftherouter.Intradeoffforthis
performancetuning,youcangetweakcryptography.Ultimately,itisuptothesecuritypolicyofthecustomerin
ordertodeterminewhichfeaturestouseandwhichtoleavealone.

OutputfromshowCommands
Note:Thecapturesinthesesectionsaretakenfromadifferentseriesofteststhanthoseusedintheprevious
sectionsofthisdocument.Consequently,thesecapturescanhavedifferentIPaddressesandreflectslightly
differentconfigurations.AnotherseriesofshowcommandsisprovidedintheDebugInformationsectionofthis
document.

IKERelatedOutput
StudythesecommandsinordertocheckVeriSignCAenrollment.Thesecommandsshowthepublickeysyou
useforRSAencryptionandsignatures.
dt145a#showcryptokeymypubkeyrsa
%Keypairwasgeneratedat:11:31:59PDTApr91998
Keyname:dt145a.cisco.com
Usage:SignatureKey
KeyData:
305C300D06092A864886F70D0101010500034B003048024100C11854
39A9C75C
4E34C987B4D7F36CA058D69713172767192166E1661483DD0FDB907B
F9C10B7A
CB5A034FA41DF38523BEB6A7C14344BEE6915A121C86374F830203010001
%Keypairwasgeneratedat:11:32:02PDTApr91998
Keyname:dt145a.cisco.com
Usage:EncryptionKey
KeyData:
305C300D06092A864886F70D0101010500034B003048024100DCF5AC
360DD5A6
C69704CF47B2362D65123BD4424B6FF6AD10C33E89983D0816F1EA58
3700BCF9
1EF17E715931A9FC18D60D9AE0852DDD3F25369CF09DFB75050203010001

Thiscommandshowsthecertificatesthattherouterrecognizes.Acertificatethathaspendingstatushasbeen
submittedtotheCAforapproval.
dt145a#showcryptocacertificates
Certificate
SubjectName
Name:dt145a.cisco.com
SerialNumber:01193485
Status:Available
CertificateSerialNumber:650534996414E2BE701F4EF3170EDFAD
KeyUsage:Signature

CACertificate
Status:Available
CertificateSerialNumber:3051DF7169BEE31B821DFE4B3A338E5F
KeyUsage:NotSet
Certificate
SubjectName
Name:dt145a.cisco.com
SerialNumber:01193485
Status:Available
CertificateSerialNumber:1e621faf3b9902bc5b49d0f99dc66d14
KeyUsage:Encryption
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

11/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

Thisoutputshowsthepublickeysoftherouterandwheretherouterlearnedaboutthem.
dt145a#showcryptokeypubkeychainrsa
Codes:MManuallyconfigured,CExtractedfromcertificate

CodeUsageIPAddressName
CSigningCiscoSystemsDevtestCISCOCAULTRA
CGeneral172.21.30.71dt17ka.cisco.com

ThisistheISAKMP(IKE)SAtable.HereyouseethatanSAcurrentlyexistsbetween172.21.30.71and
172.21.30.70.ThepeerneedstohaveanSAentryinthesamestateastheoutputofthisrouter.
dt17ka#showcryptoisakmpsa
dstsrcstateconnidslot
172.21.30.70172.21.30.71QM_IDLE475

Theselinesshowthepolicyobjectsconfigured.Inthiscase,policies1,2,and4areused,inadditiontothe
default.Thepoliciesareproposedtothepeerinorder,with1asthemostpreferred.
dt145a#showcryptoisakmppolicy
Protectionsuiteofpriority1
encryptionalgorithm:DESDataEncryptionStandard(56bit
keys).
hashalgorithm:MessageDigest5
authenticationmethod:RivestShamirAdlemanSignature
DiffieHellmangroup:#1(768bit)
lifetime:180seconds,novolumelimit
Protectionsuiteofpriority2
encryptionalgorithm:DESDataEncryptionStandard(56bitkeys).
hashalgorithm:SecureHashStandard
authenticationmethod:PreSharedKey
DiffieHellmangroup:#2(1024bit)
lifetime:180seconds,novolumelimit
Protectionsuiteofpriority4
encryptionalgorithm:DESDataEncryptionStandard(56bitkeys).
hashalgorithm:MessageDigest5
authenticationmethod:PreSharedKey
DiffieHellmangroup:#2(1024bit)
lifetime:180seconds,novolumelimit
Defaultprotectionsuite
encryptionalgorithm:DESDataEncryptionStandard(56bitkeys).
hashalgorithm:SecureHashStandard
authenticationmethod:RivestShamirAdlemanSignature
DiffieHellmangroup:#1(768bit)
lifetime:86400seconds,novolumelimit

IPsecRelatedshowCommands
ThiscommandshowsthecryptomapToOtherRouter,theACLs,andthetransformproposalsappliedtothis
cryptomap,thepeers,andthekeylifetime.
S325132#showcryptomap
CryptoMap"ToOtherRouter"10ipsecisakmp
Peer=192.168.1.1
ExtendedIPaccesslist101
accesslist101permitip
source:addr=192.168.45.0/0.0.0.255
dest:addr=192.168.3.0/0.0.0.255
ConnectionId=UNSET(0established,0failed)
Currentpeer:192.168.1.1
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

12/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

Sessionkeylifetime:4608000kilobytes/3600seconds
PFS(Y/N):N
Transformproposals={Elvis,Bubba,BarneyDino,}

Thisconfigurationusesthesamerouterasthepreviousoutput,butdifferentcommands.Youseealltransform
proposals,whichsettingstheynegotiate,andthedefaults.
S325132#showcryptoipsectransformset
TransformproposalElvis:{ahshahmac}
supportedsettings={Tunnel,},
defaultsettings={Tunnel,},
willnegotiate={Tunnel,},

{espdes}
supportedsettings={Tunnel,},
defaultsettings={Tunnel,},
willnegotiate={Tunnel,},

TransformproposalBubba:{ahrfc1828}
supportedsettings={Tunnel,},
defaultsettings={Tunnel,},
willnegotiate={Tunnel,},

{espdesespmd5hmac}
supportedsettings={Tunnel,},
defaultsettings={Tunnel,},
willnegotiate={Tunnel,},

TransformproposalBarneyDino:{ahmd5hmac}
supportedsettings={Tunnel,},
defaultsettings={Tunnel,},
willnegotiate={Tunnel,},

ThiscommandshowsthecurrentIPsecSecurityAssociationsofthisrouter.TherouterhasoneAHSAforboth
incomingandoutgoing.
S325132#showcryptoipsession
Sessionkeylifetime:4608000kilobytes/3600seconds
S325132#showcryptoipsecsa

interface:Ethernet0
Cryptomaptag:ToOtherRouter,localaddr.192.168.1.2

localident(addr/mask/prot/port):(192.168.45.0/255.255.255.0/0/0)
remoteident(addr/mask/prot/port):(192.168.3.0/255.255.255.0/0/0)
current_peer:192.168.1.1
PERMIT,flags={origin_is_acl,}
#pktsencaps:0,#pktsencrypt:0,#pktsdigest0
#pktsdecaps:0,#pktsdecrypt:0,#pktsverify0
#senderrors5,#recverrors0

localcryptoendpt.:192.168.1.2,remotecryptoendpt.:192.168.1.1
pathmtu1500,mediamtu1500
currentoutboundspi:25081A81
inboundespsas:

inboundahsas:
spi:0x1EE91DDC(518594012)
transform:ahmd5hmac,
inusesettings={Tunnel,}
slot:0,connid:16,cryptomap:ToOtherRouter
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

13/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

satiming:remainingkeylifetime(k/sec):(4608000/3423)
replaydetectionsupport:Y

outboundespsas:

outboundahsas:
spi:0x25081A81(621288065)
transform:ahmd5hmac,
inusesettings={Tunnel,}
slot:0,connid:17,cryptomap:ToOtherRouter
satiming:remainingkeylifetime(k/sec):(4608000/3424)
replaydetectionsupport:Y

SampleConfigurations
Thisconfigurationusespresharedkeys.Thisrouterconfigurationisusedinordertocreatethedebugoutput
listedintheDebugInformationsection.ThisconfigurationallowsanetworkcalledXlocatedbehindSourceRouter
totalktoanetworkcalledYlocatedbehindPeerRouter.ConsulttheCiscoIOSSoftwaredocumentationforyour
versionofCiscoIOS,orusetheCommandLookupTool(registeredcustomersonly)formoreinformationabouta
particularcommand.Thistoolallowstheusertolookupadetaileddescriptionorconfigurationguidelinesfora
particularcommand.

NetworkDiagram

Configurations
SourceRouter
PeerRouter
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

14/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

SourceRouter
Currentconfiguration:
!
version11.3
servicetimestampsdebuguptime
servicetimestampsloguptime
noservicepasswordencryption
!
hostnamegosse42513
!
enablesecret5$1$ZuRD$YBaAh3oIv4iltIn0TMCUX1
enablepasswordww
!
!IKEconfiguration
cryptoisakmppolicy1
hashmd5
authenticationpreshare
cryptoisakmpkeySlurpeeMachineaddress20.20.20.21
!
!IPsecconfiguration
cryptoipsectransformsetBearPapaesprfc1829
cryptoipsectransformsetBearMamaahmd5hmacespdes
cryptoipsectransformsetBearBabyahrfc1828
!
cryptomaparmadillo1ipsecisakmp
setpeer20.20.20.21
setsecurityassociationlifetimeseconds190
settransformsetBearPapaBearMamaBearBaby
!Traffictoencrypt
matchaddress101
!
interfaceEthernet0
ipaddress60.60.60.60255.255.255.0
nomopenabled
!
interfaceSerial0
ipaddress20.20.20.20255.255.255.0
noipmroutecache
nofairqueue
cryptomaparmadillo
!
interfaceSerial1
noipaddress
shutdown
!
interfaceTokenRing0
noipaddress
shutdown
!
ipclassless
iproute0.0.0.00.0.0.020.20.20.21
!Traffictoencrypt
accesslist101permitip60.60.60.00.0.0.25550.50.50.00.0.0.
255
dialerlist1protocolippermit
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

15/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

dialerlist1protocolipxpermit
!
linecon0
exectimeout00
lineaux0
linevty04
passwordww
login
!
end

PeerRouter
Currentconfiguration:
!
version11.3
servicetimestampsdebuguptime
servicetimestampsloguptime
noservicepasswordencryption
!
hostnamegossc22513
!
enablesecret5$1$DBTl$Wtg2eS7Eb/Cw5l.nDhkEi/
enablepasswordww
!
ipsubnetzero
!
!IKEconfiguration
cryptoisakmppolicy1
hashmd5
authenticationpreshare
cryptoisakmpkeySlurpeeMachineaddress20.20.20.20
!
!IPsecconfiguration
cryptoipsectransformsetPapaBearesprfc1829
cryptoipsectransformsetMamaBearahmd5hmacespdes
cryptoipsectransformsetBabyBearahrfc1828
!
!
cryptomaparmadillo1ipsecisakmp
setpeer20.20.20.20
setsecurityassociationlifetimeseconds190
settransformsetMamaBearPapaBearBabyBear

!Traffictoencrypt
matchaddress101
!
!
!
interfaceEthernet0
ipaddress50.50.50.50255.255.255.0
noipdirectedbroadcast
!
interfaceSerial0
ipaddress20.20.20.21255.255.255.0
noipdirectedbroadcast
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

16/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

noipmroutecache
nofairqueue
clockrate9600
cryptomaparmadillo
!
interfaceSerial1
noipaddress
noipdirectedbroadcast
shutdown
!
interfaceTokenRing0
noipaddress
noipdirectedbroadcast
shutdown
!
ipclassless
iproute0.0.0.00.0.0.020.20.20.20
!Traffictoencrypt
accesslist101permitip50.50.50.00.0.0.25560.60.60.00.0.0.
255
dialerlist1protocolippermit
dialerlist1protocolipxpermit
!
!
linecon0
exectimeout00
transportinputnone
lineaux0
lineaux0
linevty04
passwordww
login
!
end

DebugInformation
ThissectionhasthedebugoutputfromanormalIKE/IPsecsessionbetweentworouters.Theconfigurations
comefromtheSampleConfigurationssectionofthisdocument.Theroutersuseapresharedkey.Bothrouters
havethedebugcryptoisakmp,debugcryptoipsec,anddebugcryptoenginecommandsenabled.Thiswas
testedwithanextendedpingfromtheSourceRouterethernetinterfacetothePeerRouterethernetinterface
(60.60.60.60to50.50.50.50).
Note:Theblue,italicstatementsinthissampledebugoutputarenotestohelpyoufollowwhathappens,theyare
notpartofthedebugoutput.
SourceRouter
SourceRoutershowCommandOutputAfterIKE/IPsecNegotiation
PeerRouterwithSamePingSequence,asSeenfromtheOtherSide
PeerRoutershowCommands

gosse42513#showclock
gosse42513#ping
Protocol[ip]:
TargetIPaddress:50.50.50.50
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

17/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

Repeatcount[5]:10
Datagramsize[100]:
Timeoutinseconds[2]:
Extendedcommands[n]:y
Sourceaddressorinterface:60.60.60.60
Typeofservice[0]:
SetDFbitinIPheader?[no]:
Validatereplydata?[no]:
Datapattern[0xABCD]:
Loose,Strict,Record,Timestamp,Verbose[none]:
Sweeprangeofsizes[n]:
Typeescapesequencetoabort.
Sending10,100byteICMPEchosto50.50.50.50,timeoutis2seconds:
Apr212:03:55.347:IPSEC(sa_request):,
(keyeng.msg.)src=20.20.20.20,dest=20.20.20.21,
src_proxy=60.60.60.0/255.255.255.0/0/0(type=4),
dest_proxy=50.50.50.0/255.255.255.0/0/0(type=4),
protocol=ESP,transform=esprfc1829,
lifedur=190sand4608000kb,
spi=0x0(0),conn_id=0,keysize=0,flags=0x4004
Apr212:03:55.355:IPSEC(sa_request):,
(keyeng.msg.)src=20.20.20.20,dest=20.20.20.21,
src_proxy=60.60.60.0/255.255.255.0/0/0(type=4),
dest_proxy=50.50.50.0/255.255.255.0/0/0(type=4),
protocol=AH,transform=ahmd5hmac,
lifedur=190sand4608000kb,
spi=0x0(0),conn_id=0,keysize=0,flags=0x4004
Apr212:03:55.363:IPSEC(sa_request):,
(keyeng.msg.)src=20.20.20.20,dest=20.20.20.21,
src_proxy=60.60.60.0/255.255.255.0/0/0(type=4),
dest_proxy=50.50.50.0/255.255.255.0/0/0(type=4),
protocol=ESP,transform=espdes,
lifedur=190sand4608000kb,
spi=0x0(0),conn_id=0,keysi.ze=0,flags=0x4004
Apr212:03:55.375:IPSEC(sa_request):,
(keyeng.msg.)src=20.20.20.20,dest=20.20.20.21,
src_proxy=60.60.60.0/255.255.255.0/0/0(type=4),
dest_proxy=50.50.50.0/255.255.255.0/0/0(type=4),
protocol=AH,transform=ahrfc1828,
lifedur=190sand4608000kb,
spi=0x0(0),conn_id=0,keysize=0,flags=0x4004

!Notethattherouterofferstothepeerallofthe!availabletransforms.

Apr212:03:55.391:ISAKMP(14):beginningMainModeexchange
Apr212:03:57.199:ISAKMP(14):processingSApayload.messageID=0
Apr212:03:57.203:ISAKMP(14):CheckingISAKMPtransform1against
priority1policy
Apr212:03:57.203:ISAKMP:encryptionDESCBC
Apr212:03:57.207:ISAKMP:hashMD5
Apr212:03:57.207:ISAKMP:defaultgroup1
Apr212:03:57.207:ISAKMP:authpreshare
Apr212:03:57.211:ISAKMP(14):attsareacceptable.Nextpayloadis0
Apr212:03:57.215:Cryptoengine0:generatealgparam
Apr212:03:5.8.867:CRYPTO_ENGINE:Dhphase1status:0
Apr212:03:58.871:ISAKMP(14):SAisdoingpresharedkeyauthentication..
Apr212:04:01.291:ISAKMP(14):processingKEpayload.messageID=0
Apr212:04:01.295:Cryptoengine0:generatealgparam
Apr212:04:03.343:ISAKMP(14):processingNONCEpayload.messageID=0
Apr212:04:03.347:Cryptoengine0:createISAKMPSKEYIDforconnid14
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

18/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

Apr212:04:03.363:ISAKMP(14):SKEYIDstategenerated
Apr212:04:03.367:ISAKMP(14):processingvendoridpayload
Apr212:04:03.371:ISAKMP(14):speakingtoanotherIOSbox!
Apr212:04:03.371:generatehmaccontextforconnid14
Apr212:04:03.615:ISAKMP(14):processingIDpayload.messageID=0
Apr212:04:03.615:ISAKMP(14):processingHASHpayload.messageID=0
Apr212:04:03.619:generatehmaccontextforconnid14
Apr212:04:03.627:ISAKMP(14):SAhasbeenauthenticated
Apr212:04:03.627:ISAKMP(14):beginningQuickModeexchange,MIDof1628162439

!Theselinesrepresentverificationthatthepolicy!attributesarefine,andthefinalauthent
iation:

Apr212:04:03.635:IPSEC(key_engine):gotaqueueevent...
Apr212:04:03.635:IPSEC(spi_response):gettingspi303564824ldforSA
.!!!from20.20.20.21to20.20.20.20forprot3
Apr212:04:03.639:IPSEC(spi_response):gettingspi423956280ldforSA
from20.20.20.21to20.20.20.20forprot2
Apr212:04:03.643:IPSEC(spi_response):gettingspi415305621ldforSA
from20.20.20.21to20.20.20.20forprot3
Apr212:04:03.647:IPSEC(spi_response):gettingspi218308976ldforSA
from20.20.20.21to20.20.20.20forprot2
Apr212:04:03.891:generatehmaccontextforconnid14
Apr212:04:04.!!
Successrateis50percent(5/10),roundtripmin/avg/max=264/265/268ms
gosse42513#723:generatehmaccontextforconnid14
Apr212:04:04.731:ISAKMP(14):processingSApayload.messageID=1628162439
Apr212:04:04.731:ISAKMP(14):CheckingIPSecproposal1
Apr212:04:04.735:ISAKMP:transform1,ESP_DES_IV64
Apr212:04:04.735:ISAKMP:attributesintransform:
Apr212:04:04.735:ISAKMP:encapsis1
Apr212:04:04.739:ISAKMP:SAlifetypeinseconds
Apr212:04:04.739:ISAKMP:SAlifeduration(basic)of190
Apr212:04:04.739:ISAKMP:SAlifetypeinkilobytes
Apr212:04:04.743:ISAKMP:SAlifeduration(VPI)of0x00x460x500x0
Apr212:04:04.747:ISAKMP(14):attsareacceptable.

!TheISAKMPdebugislistedbecauseIKEisthe!entitythatnegotiatesIPsecSAsonbehalfofI

Apr212:04:04.747:IPSEC(validate_proposal_request):proposalpart#1,
(keyeng.msg.)dest=20.20.20.21,src=20.20.20.20,
dest_proxy=50.50.50.0/255.255.255.0/0/0(type=4),
src_proxy=60.60.60.0/255.255.255.0/0/0(type=4),
protocol=ESP,transform=esprfc1829,
lifedur=0sand0kb,
spi=0x0(0),conn_id=0,keysize=0,flags=0x4
Apr212:04:04.759:ISAKMP(14):processingNONCEpayload.messageID=1628162439
Apr212:04:04.759:ISAKMP(14):processingIDpayload.messageID=1628162439
Apr212:04:04.763:ISAKMP(14):processingIDpayload.messageID=1628162439
Apr212:04:04.767:generatehmaccontextforconnid14
Apr212:04:04.799:ISAKMP(14):CreatingIPSecSAs
Apr212:04:04.803:inboundSAfrom20.20.20.21to20.20.20.20
(proxy50.50.50.0to60.60.60.0)
Apr212:04:04.803:hasspi303564824andconn_id15andflags4
Apr212:04:04.807:lifetimeof190seconds
Apr212:04:04.807:lifetimeof4608000kilobytes
Apr212:04:04.811:outboundSAfrom20.20.20.20to20.20.20.21
(proxy60.60.60.0to50.50.50.0)
Apr212:04:04.811:hasspi183903875andconn_id16andflags4
Apr212:04:04.815:lifetimeof190seconds
Apr212:04:04.815:lifetimeof4608000kilobytes
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

19/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

Apr212:04:04.823:IPSEC(key_engine):gotaqueueevent...
Apr212:04:04.823:IPSEC(initialize_sas):,
(keyeng.msg.)dest=20.20.20.20,src=20.20.20.21,
dest_proxy=60.60.60.0/255.255.255.0/0/0(type=4),
src_proxy=50.50.50.0/255.255.255.0/0/0(type=4),
protocol=ESP,transform=esprfc1829,
lifedur=190sand4608000kb,
spi=0x12180818(303564824),conn_id=15,keysize=0,flags=0x4
Apr212:04:04.831:IPSEC(initialize_sas):,
(keyeng.msg.)src=20.20.20.20,dest=20.20.20.21,
src_proxy=60.60.60.0/255.255.255.0/0/0(type=4),
dest_proxy=50.50.50.0/255.255.255.0/0/0(type=4),
protocol=ESP,transform=esprfc1829,
lifedur=190sand4608000kb,
spi=0xAF62683(183903875),conn_id=16,keysize=0,flags=0x4
Apr212:04:04.839:IPSEC(create_sa):sacreated,
(sa)sa_dest=20.20.20.20,sa_prot=50,
sa_spi=0x12180818(303564824),
sa_trans=esprfc1829,sa_conn_id=15
Apr212:04:04.843:IPSEC(create_sa):sacreated,
(sa)sa_dest=20.20.20.21,sa_prot=50,
sa_spi=0xAF62683(183903875),
sa_trans=esprfc1829,sa_conn_id=16

!TheselinesshowthatIPsecSAsarecreatedand!encryptedtrafficcannowpass.

SourceRoutershowCommandOutputAfterIKE/IPsecNegotiation
gosse42513#
gosse42513#showcryptoisakmpsa
dstsrcstateconnidslot
20.20.20.2120.20.20.20QM_IDLE140
gosse42513#showcryptoipsecsa
interface:Serial0
Cryptomaptag:armadillo,localaddr.20.20.20.20
localident(addr/mask/prot/port):(60.60.60.0/255.255.255.0/0/0)
remoteident(addr/mask/prot/port):(50.50.50.0/255.255.255.0/0/0)
current_peer:20.20.20.21
PERMIT,flags={origin_is_acl,}
#pktsencaps:5,#pktsencrypt:5,#pktsdigest0
#pktsdecaps:5,#pktsdecrypt:5,#pktsverify0
#senderrors5,#recverrors0
localcryptoendpt.:20.20.20.20,remotecryptoendpt.:20.20.20.21
pathmtu1500,mediamtu1500
currentoutboundspi:AF62683
inboundespsas:
spi:0x12180818(303564824)
transform:esprfc1829,
inusesettings={VarlenIV,Tunnel,}
slot:0,connid:15,cryptomap:armadillo
satiming:remainingkeylifetime(k/sec):(4607999/135)
IVsize:8bytes
replaydetectionsupport:N

http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

20/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

inboundahsas:

outboundespsas:
spi:0xAF62683(183903875)
transform:esprfc1829,
inusesettings={VarlenIV,Tunnel,}
slot:0,connid:16,cryptomap:armadillo
satiming:remainingkeylifetime(k/sec):(4607999/117)
IVsize:8bytes
replaydetectionsupport:N

outboundahsas:

gosse42513#showcryptoisakmppolicy
Protectionsuiteofpriority1
encryptionalgorithm:DESDataEncryptionStandard(56bitkeys).
hashalgorithm:MessageDigest5
authenticationmethod:PreSharedKey
DiffieHellmangroup:#1(768bit)
lifetime:86400seconds,novolumelimit
Defaultprotectionsuite
encryptionalgorithm:DESDataEncryptionStandard(56bitkeys).
hashalgorithm:SecureHashStandard
authenticationmethod:RivestShamirAdlemanSignature
DiffieHellmangroup:#1(768bit)
lifetime:86400seconds,novolumelimit
gosse42513#showcryptomap
CryptoMap"armadillo"1ipsecisakmp
Peer=20.20.20.21
ExtendedIPaccesslist101
accesslist101permitip60.60.60.00.0.0.25550.50.50.00.0.0.
255
Currentpeer:20.20.20.21
Securityassociationlifetime:4608000kilobytes/190seconds
PFS(Y/N):N
Transformsets={BearPapa,BearMama,BearBaby,}

PeerRouterwithSamePingSequence,asSeenfromtheOtherSide
gossc22513#showdebug
CryptographicSubsystem:
CryptoISAKMPdebuggingison
CryptoEnginedebuggingison
CryptoIPSECdebuggingison
gossc22513#
Apr212:03:55.107:ISAKMP(14):processingSApayload.messageID=0
Apr212:03:55.111:ISAKMP(14):CheckingISAKMPtransform1against
priority1policy
Apr212:03:55.111:ISAKMP:encryptionDESCBC
Apr212:03:55.111:ISAKMP:hashMD5
Apr212:03:55.115:ISAKMP:defaultgroup1
Apr212:03:55.115:ISAKMP:authpreshare
Apr212:03:55.115:ISAKMP(14):attsareacceptable.Nextpayloadis0

!IKEperformsitsoperation,andthenkicksoffIPsec.

http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

21/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

Apr212:03:55.119:Cryptoengine0:generatealgparam
Apr212:03:56.707:CRYPTO_ENGINE:Dhphase1status:0
Apr212:03:56.711:ISAKMP(14):SAisdoingpresharedkeyauthentication
Apr212:03:58.667:ISAKMP(14):processingKEpayload.messageID=0
Apr212:03:58.671:Cryptoengine0:generatealgparam
Apr212:04:00.687:ISAKMP(14):processingNONCEpayload.messageID=0
Apr212:04:00.695:Cryptoengine0:createISAKMPSKEYIDforconnid14
Apr212:04:00.707:ISAKMP(14):SKEYIDstategenerated
Apr212:04:00.711:ISAKMP(14):processingvendoridpayload
Apr212:04:00.715:ISAKMP(14):speakingtoanotherIOSbox!
Apr212:04:03.095:ISAKMP(14):processingIDpayload.messageID=0
Apr212:04:03.095:ISAKMP(14):processingHASHpayload.messageID=0
Apr212:04:03.099:generatehmaccontextforconnid14
Apr212:04:03.107:ISAKMP(14):SAhasbeenauthenticated
Apr212:04:03.111:generatehmaccontextforconnid14
Apr212:04:03.835:generatehmaccontextforconnid14
Apr212:04:03.839:ISAKMP(14):processingSApayload.messageID=1628162439
Apr212:04:03.843:ISAKMP(14):CheckingIPSecproposal1
Apr212:04:03.843:ISAKMP:transform1,ESP_DES_IV64
Apr212:04:03.847:ISAKMP:attributesintransform:
Apr212:04:03.847:ISAKMP:encapsis1
Apr212:04:03.847:ISAKMP:SAlifetypeinseconds
Apr212:04:03.851:ISAKMP:SAlifeduration(basic)of190
Apr212:04:03.851:ISAKMP:SAlifetypeinkilobytes
Apr212:04:03.855:ISAKMP:SAlifeduration(VPI)of0x00x460x500x0
Apr212:04:03.855:ISAKMP(14):attsareacceptable.
Apr212:04:03.859:IPSEC(validate_proposal_request):proposalpart#1,
(keyeng.msg.)dest=20.20.20.21,src=20.20.20.20,
dest_proxy=50.50.50.0/255.255.255.0/0/0(type=4),
src_proxy=60.60.60.0/255.255.255.0/0/0(type=4),
protocol=ESP,transform=esprfc1829,
lifedur=0sand0kb,
spi=0x0(0),conn_id=0,keysize=0,flags=0x4
Apr212:04:03.867:ISAKMP(14):processingNONCEpayload.messageID=1628162
439
Apr212:04:03.871:ISAKMP(14):processingIDpayload.messageID=1628162439
Apr212:04:03.871:ISAKMP(14):processingIDpayload.messageID=1628162439
Apr212:04:03.879:IPSEC(key_engine):gotaqueueevent...
Apr212:04:03.879:IPSEC(spi_response):gettingspi183903875ldforSA
from20.20.20.20to20.20.20.21forprot3
Apr212:04:04.131:generatehmaccontextforconnid14
Apr212:04:04.547:generatehmaccontextforconnid14
Apr212:04:04.579:ISAKMP(14):CreatingIPSecSAs
Apr212:04:04.579:inboundSAfrom20.20.20.20to20.20.20.21
(proxy60.60.60.0to50.50.50.0)
Apr212:04:04.583:hasspi183903875andconn_id15andflags4
Apr212:04:04.583:lifetimeof190seconds
Apr212:04:04.587:lifetimeof4608000kilobytes
Apr212:04:04.587:outboundSAfrom20.20.20.21to20.20.20.20
(proxy50.50.50.0to60.60.60.0)
Apr212:04:04.591:hasspi303564824andconn_id16andflags4
Apr212:04:04.591:lifetimeof190seconds
Apr212:04:04.595:lifetimeof4608000kilobytes
Apr212:04:04.599:IPSEC(key_engine):gotaqueueevent...
Apr212:04:04.599:IPSEC(initialize_sas):,
(keyeng.msg.)dest=20.20.20.21,src=20.20.20.20,
dest_proxy=50.50.50.0/255.255.255.0/0/0(type=4),
src_proxy=60.60.60.0/255.255.255.0/0/0(type=4),
protocol=ESP,transform=esprfc1829,
lifedur=190sand4608000kb,
spi=0xAF62683(183903875),conn_id=15,keysize=0,flags=0x4
Apr212:04:04.607:IPSEC(initialize_sas):,
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

22/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

(keyeng.msg.)src=20.20.20.21,dest=20.20.20.20,
src_proxy=50.50.50.0/255.255.255.0/0/0(type=4),
dest_proxy=60.60.60.0/255.255.255.0/0/0(type=4),
protocol=ESP,transform=esprfc1829,
lifedur=190sand4608000kb,
spi=0x12180818(303564824),conn_id=16,keysize=0,flags=0x4
Apr212:04:04.615:IPSEC(create_sa):sacreated,
(sa)sa_dest=20.20.20.21,sa_prot=50,
sa_spi=0xAF62683(183903875),
sa_trans=esprfc1829,sa_conn_id=15
Apr212:04:04.619:IPSEC(create_sa):sacreated,
(sa)sa_dest=20.20.20.20,sa_prot=50,
sa_spi=0x12180818(303564824),
sa_trans=esprfc1829,sa_conn_id=16

!TheIPsecSAsarecreated,andICMPtrafficcanflow.

PeerRoutershowCommands

!Thisillustratesaseriesofshowcommandoutputafter!IKE/IPsecnegotiationtakespla
ce.

gossc22513#showcryptoisakmpsa
dstsrcstateconnidslot
20.20.20.2120.20.20.20QM_IDLE140
gossc22513#showcryptoipsecsa
interface:Serial0
Cryptomaptag:armadillo,localaddr.20.20.20.21
localident(addr/mask/prot/port):(50.50.50.0/255.255.255.0/0/0)
remoteident(addr/mask/prot/port):(60.60.60.0/255.255.255.0/0/0)
current_peer:20.20.20.20
PERMIT,flags={origin_is_acl,}
#pktsencaps:5,#pktsencrypt:5,#pktsdigest0
#pktsdecaps:5,#pktsdecrypt:5,#pktsverify0
#senderrors0,#recverrors0
localcryptoendpt.:20.20.20.21,remotecryptoendpt.:20.20.20.20
pathmtu1500,mediamtu1500
currentoutboundspi:12180818
inboundespsas:
spi:0xAF62683(183903875)
transform:esprfc1829,
inusesettings={VarlenIV,Tunnel,}
slot:0,connid:15,cryptomap:armadillo
satiming:remainingkeylifetime(k/sec):(4607999/118)
IVsize:8bytes
replaydetectionsupport:N

inboundahsas:

outboundespsas:
spi:0x12180818(303564824)
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

23/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

transform:esprfc1829,
inusesettings={VarlenIV,Tunnel,}
slot:0,connid:16,cryptomap:armadillo
satiming:remainingkeylifetime(k/sec):(4607999/109)
IVsize:8bytes
replaydetectionsupport:N

outboundahsas:

gossc22513#showcryptoisakmppolicy
Protectionsuiteofpriority1
encryptionalgorithm:DESDataEncryptionStandard(56bitkeys).
hashalgorithm:MessageDigest5
authenticationmethod:PreSharedKey
DiffieHellmangroup:#1(768bit)
lifetime:86400seconds,novolumelimit
Defaultprotectionsuite
encryptionalgorithm:DESDataEncryptionStandard(56bitkeys).
hashalgorithm:SecureHashStandard
authenticationmethod:RivestShamirAdlemanSignature
DiffieHellmangroup:#1(768bit)
lifetime:86400seconds,novolumelimit
gossc22513#showcryptomap
CryptoMap"armadillo"1ipsecisakmp
Peer=20.20.20.20
ExtendedIPaccesslist101
accesslist101permitip50.50.50.00.0.0.25560.60.60.00.0.0.255
Currentpeer:20.20.20.20
Securityassociationlifetime:4608000kilobytes/190seconds
PFS(Y/N):N
Transformsets={MamaBear,PapaBear,BabyBear,}

ImplementationTipsforIPsec
ThesearesomeimplementationtipsforIPsec:
Makecertainthatyouhaveconnectivitybetweentheendpointsofthecommunicationbeforeyouconfigure
crypto.
MakesurethateitherDNSworksontherouter,oryouhaveenteredtheCAhostname,ifyouuseaCA.
IPsecusesIPprotocols50and51,andIKEtrafficpassesonprotocol17,port500(UDP500).Makesure
thesearepermittedappropriately.
BecarefulnottousethewordanyinyourACL.Thiscausesproblems.RefertotheUsageGuidelinesfor
accesslistinthePIXcommandreferenceformoreinformation.
Recommendedtransformcombinationsare:
espdesandespshahmac

ahshahmacandespdes

RememberthatAHisjustanauthenticatedheader.Theactualuserdatastreamisnotencrypted.Youneed
ESPfordatastreamencryption.IfyouuseonlyAHandseecleartextgoacrossthenetwork,donotbe
surprised.AlsouseESPifyouuseAH.NotethatESPcanalsoperformauthentication.Therefore,youcan
useatransformcombinationsuchasespdesandespshahmac.
ahrfc1828andesprfc1829areobsoletetransformsincludedforbackwardscompatibilitywitholderIPsec
implementations.Ifthepeerdoesnotsupportnewertransforms,trytheseinstead.
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

24/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

SHAisslowerandmoresecurethanMD5,whereasMD5isfasterandlesssecurethatSHA.Insome
communities,thecomfortlevelwithMD5isverylow.
Whenindoubt,usetunnelmode.Tunnelmodeisthedefaultanditcanbeusedintransportmode,aswellas
foritsVPNcapabilities.
ForclassiccryptouserswhoupgradetoCiscoIOSSoftwareRelease11.3,cryptocommandsstoragemethods
intheconfigurationhaschangedinordertoallowforIPsec.Consequently,ifclassiccryptouserseverrevertto
CiscoIOSSoftwareRelease11.2,theseusershavetoreentertheircryptoconfigurations.
Ifyoudoapingtestacrosstheencryptedlinkwhenyoufinishyourconfiguration,thenegotiationprocesscan
takesometime,aboutsixsecondsonaCisco4500,andabout20secondsonaCisco2500,becauseSAs
havenotyetbeennegotiated.Eventhougheverythingisconfiguredcorrectly,yourpingcaninitiallyfail.The
debugcryptoipsecanddebugcryptoisakmpcommandsshowyouwhathappens.Onceyourencrypted
datastreamshavefinishedtheirsetup,thepingworksfine.
Ifyourunintotroublewithyournegotiation(s)andmakeconfigurationchanges,usetheclearcryptoisand
clearcryptosacommandsinordertoflushthedatabasesbeforeyouretry.Thisforcesnegotiationtostart
anew,withoutanylegacynegotiationtogetintheway.Theclearcryptoisandclearcrysacommandsare
veryusefulinthismanner.

HelpandRelevantLinks
IPsecInformation
IPsecSupportPage
ECRAEncryptionPoliciesandProceduresSendanEmailtoexport@cisco.com

MoreSampleConfigurationsforIPsec
ConfiguringandTroubleshootingCisco'sNetworkLayerEncryption:IPSecandISAKMP
IPsecNetworkSecurityOverview
PIXFirewallIPsecconfigurationdocumentation
PIX5.1
PIX5.2
PIX5.3
PIX6.0
PIX6.1
PIX6.2
PIX6.3
ContacttheCiscoTechnicalSupportat(800)55324HR,(408)5267209,orsendandEmailtotac@cisco.comif
yourequirefurtherassistancewithIPsec.

References
Harkins,D.ISAKMP/OakleyProtocolFeatureSoftwareUnitFunctionalSpecification.ENG0000RevA.Cisco
Systems.
Madson,C.IPSecSoftwareUnitFunctionalSpecificationENG17610RevF.CiscoSystems.
Kaufman,C.PerlmanR.andSpencer,M.NetworkSecurity:PrivateCommunicationinaPublicWorld.Prentice
Hall,1995.
Schneier,B.AppliedCryptography:Protocols,Algorithms,andSourceCodeinC.SecondEd.JohnWiley&
http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

25/26

12/9/2015

AnIntroductiontoIPSecurity(IPSec)EncryptionCisco

Sons,Inc.
VariousIETFIPSecurityworkingdrafts

RelatedInformation
IPsecSupportPage
HowVirtualPrivateNetworksWork
MostCommonL2LandRemoteAccessIPSecVPNTroubleshootingSolutions
TechnicalSupport&DocumentationCiscoSystems

2015Ciscoand/oritsaffiliates.Allrightsreserved.

http://www.cisco.com/c/en/us/support/docs/securityvpn/ipsecnegotiationikeprotocols/16439IPSECpart8.html

26/26