PIX/ASA 7.x and later : VPN/IPsec with OSPF Configuration Example

Introduction

This document provides a sample configuration for a VPN/IPsec with Open Shortest Path First (OSPF) on Cisco PIX Security Appliance Software Version 7.x or Cisco Adaptive Security Appliance (ASA). PIX/ASA 7.x allows OSPF unicast to run over an existing VPN connection. You no longer need to configure a Generic Routing Encapsulation (GRE) tunnel.

Prerequisites

Requirements

Ensure that you can establish the VPN connection before you attempt this configuration.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco 2500 that runs Cisco IOS® Software Release 12.1 and later

  • Cisco 2500 that runs Cisco IOS Software Release 12.0 and later

  • ASA 5500 Security Appliance running Software Version 7.x and later

    Note: The PIX 500 Series Version 7.x/8.x runs the same software seen in ASA 5500 Version 7.x/8.x. The configurations in this document are applicable to both product lines.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool ( registered customers only) to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup:

gre-ipsec-ospf-1.gif

Configurations

This document uses these configurations:

Router Left

version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Left
!
!
!
!
!
!
ip subnet-zero
ip tcp synwait-time 5
no ip domain-lookup
!
!
!
!
interface Loopback11
ip address 11.11.11.11 255.255.255.0
!
interface Ethernet0
ip address 10.10.10.2 255.255.255.0
no keepalive
!
interface Serial0
no ip address
no keepalive
no fair-queue
ignore-dcd
!
interface Serial1
no ip address
shutdown
ignore-dcd
!
interface BRI0
no ip address
shutdown
!
router ospf 11
log-adjacency-changes
network 10.10.10.0 0.0.0.255 area 0
network 11.11.11.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip http server
!
logging trap debugging
logging 20.20.20.2
access-list 100 permit ip any any
access-list 101 permit ip any any
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
privilege level 15
no login
!
end

Router House

version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Right
!
aaa new-model
aaa authentication login default group tacacs+ none
aaa authorization exec default group tacacs+ none
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
cns event-service server
!
!
!
!
!
interface Loopback22
ip address 22.22.22.22 255.255.255.0
no ip directed-broadcast
!
interface Tunnel0
no ip address
no ip directed-broadcast
!
interface Ethernet0
ip address 20.20.20.2 255.255.255.0
no ip directed-broadcast
!
interface Serial0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
no fair-queue
!
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
interface Async1
no ip address
no ip directed-broadcast
encapsulation ppp
!
router ospf 22
log-adjacency-changes
network 20.20.20.0 0.0.0.255 area 0
network 22.22.22.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 20.20.20.1
ip http server
!
!
!
line con 0
transport input none
line 1 8
line aux 0
line vty 0 4
!
end

Configure the PIX/ASA Security Appliance Version 7.x

You can use the Advanced Security Device Manager (ASDM) in order to configure the PIX/ASA Security Appliance by either the command-line interface (CLI) or GUI. The configuration in this section is for the ASA "Local". You configure the ASA "Remote" in the same way and only adjust for the differences in IP addressing.

Console into the PIX/ASA to configure the PIX/ASA Security Appliance version 7.x. From a cleared configuration, use the interactive prompts in order to enable the ASDM GUI for the management of the PIX/ASA from workstation 10.10.10.3.

Note: If the OSPF neighbor does not come up, consider the option to reduce the maximum transmission unit (MTU) size.

PIX/ASA-ASDM Bootstrap

Pre-configure Firewall now through interactive prompts [yes]?
Firewall Mode [Routed]:
Enable password []: cisco
Allow password recovery [yes]?
Clock (UTC):
Year [2006]:
Month [May]:
Day [25]:
Time [06:00:44]:
Inside IP address: 10.10.10.1
Inside network mask: 255.255.255.0
Host name: Local
Domain name: cisco.com
IP address of host running Device Manager: 10.10.10.3

The following configuration will be used:
Enable password: cisco
Allow password recovery: yes
Clock (UTC): 06:00:44 May 25 2006
Firewall Mode: Routed
Inside IP address: 10.10.10.1
Inside network mask: 255.255.255.0
Host name: Local
Domain name: cisco.com
IP address of host running Device Manager: 10.10.10.3

Use this configuration and write to flash? yes
INFO: Security level for "inside" set to 100 by default.
Cryptochecksum: 34f55366 a32e232d ebc32ac1 3bfa201a

969 bytes copied in 0.880 secs

Use ASDM

Complete these steps in order to configure via the ASDM GUI:

  1. From workstation 10.10.10.3, open a browser and use ASDM.

    In this example, you use https://10.10.10.1.

  2. Click Yes on the certificate prompts.

  3. Log in with the enable password.

    This login appears in the PIX/ASA-ASDM Bootstrap configuration.

  4. Make a selection at the prompt to use ASDM Launcher or ASDM as a Java App.

    This prompt appears only if this is the first time that you have run ASDM on the PC. This example has selected and installed the ASDM Launcher.

  5. Go to the ASDM Home window and click the Configuration tab.

    gre-ipsec-ospf-2.gif

  6. Choose Interface > Edit in order to configure the outside interface.

    gre-ipsec-ospf-3.gif

  7. Click OK.

    gre-ipsec-ospf-4.gif

  8. Enter the interface details and click OK when complete.

    gre-ipsec-ospf-5.gif

  9. Click OK in the Security Level Change dialog box.

    gre-ipsec-ospf-6.gif

  10. Click Apply in order to accept the interface configuration.

    gre-ipsec-ospf-7.gif

    The configuration also gets pushed onto the PIX.

    Note: This example uses static routes.

  11. Choose Features > Routing > Static Route and click Add.

    gre-ipsec-ospf-8.gif

  12. Configure the default gateway and click OK.

    gre-ipsec-ospf-9.gif

  13. Configure a host based static for the remote peer in order to avoid possible recursive routing when OSPF comes up and then click OK.

    gre-ipsec-ospf-10.gif

  14. Click Apply in order to accept the routing configuration.

    gre-ipsec-ospf-11.gif

    The configuration also gets pushed onto the PIX.

  15. Choose Wizards > VPN Wizard in order to use the VPN Wizard and create the LAN-to-LAN connection.

    gre-ipsec-ospf-12.gif

  16. In the VPN Wizard window, click Next where Site-to-Site is the default selection.

    gre-ipsec-ospf-13.gif

  17. Add the Peer IP Address, Tunnel Group Name (which is the IP address), and Pre-Shared Key information, and click Next.

    gre-ipsec-ospf-14.gif

  18. Add the Encryption type, Authentication type, DH Group information, and click Next.

    gre-ipsec-ospf-15.gif

  19. Add the IPsec parameters, Encryption type, Authentication type information, and click Next.

    gre-ipsec-ospf-16.gif

  20. Configure the inside host network. Click Add in order to move the address to the Selected Host/Networks field within this window. Click Next when complete.

    gre-ipsec-ospf-17.gif

  21. Configure the outside host network. Click Add in order to move the address to the Selected Host/Networks field within this window. Click Next when complete.

    gre-ipsec-ospf-18.gif

  22. Review the Summary for accuracy, then click Next.

    gre-ipsec-ospf-19.gif

  23. Choose Configuration > VPN in order to verify the LAN-to-LAN tunnel configurations that the VPN Wizard created.

    gre-ipsec-ospf-20.gif

  24. Create an access list in order to allow OSPF traffic to go across the VPN.

    This VPN access list is for the OSPF routes that are learned. Choose Configuration > VPN.

    gre-ipsec-ospf-21.gif

  25. Choose IPSec > IPSec Rules and click Add.

    gre-ipsec-ospf-22.gif

  26. Add the OSPF neighbor (IP address) data in this window and click OK.

    Note: Be sure that you work on the outside interface.

    gre-ipsec-ospf-23.gif

  27. Verify that the information is correct and click Apply.

    gre-ipsec-ospf-24.gif

  28. Choose Configuration > NAT and click Translation Exemption Rules in order to verify the Network Address Translation (NAT) configurations that the VPN Wizard created.

    gre-ipsec-ospf-25.gif

  29. Because this example uses NAT, uncheck the check box for Enable traffic through the firewall without address translation, then click Add. This step configures the NAT Rule.

    gre-ipsec-ospf-26.gif

  30. Configure the Source Network. Click Browse in order to define the NAT pool addresses for the inside. Then select outside for Translate Address on Interface and click Manage Pools.

    gre-ipsec-ospf-27.gif

  31. Select the outside interface and click Add.

    gre-ipsec-ospf-28.gif

  32. Because Port Address Translation (PAT) uses the IP address of the interface in this example, click Port Address Translation (PAT) using the IP address of the interface.

    gre-ipsec-ospf-29.gif

  33. Click OK after you configure the PAT pools.

    gre-ipsec-ospf-30.gif

  34. In the Add Address Translation Rule window, select the Address Pool that the configured Source Network is to use.

    gre-ipsec-ospf-31.gif

  35. Click OK. This window shows the output from the NAT configuration.

    gre-ipsec-ospf-32.gif

  36. Click Apply in order to save the configuration.

    gre-ipsec-ospf-33.gif

  37. Choose Configuration > Routing > OSPF > Setup, go to the Process Instances tab and check Enable this OSPF Process in order to set up OSPF on the PIX.

    gre-ipsec-ospf-34.gif

  38. Choose Area/Networks and click Add.

    gre-ipsec-ospf-35.gif

  39. Enter the IP Address and Netmask of one network in the OSPF process field and click OK (MD5 was chosen to show it as an optional element, but is not required).

    gre-ipsec-ospf-36.gif

  40. Verify that the information is correct and click Edit.

    gre-ipsec-ospf-37.gif

  41. Enter the IP Address and Netmask of the second network and outside remote peer in the OSPF process field and click OK.

    gre-ipsec-ospf-38.gif

  42. Verify that the information is correct and click Apply.

    gre-ipsec-ospf-39.gif

  43. Choose OSPF > Interface > Properties > Outside and click Edit.

    gre-ipsec-ospf-40.gif

  44. Uncheck Broadcast on the outside interface.

    Note: This must be unicast.

    gre-ipsec-ospf-41.gif

  45. Check the Broadcast column for the outside interface in order to verify that the selection is no and click Apply.

    gre-ipsec-ospf-42.gif

  46. Choose OSPF > Static Neighbor and click Add.

    gre-ipsec-ospf-43.gif

  47. Enter the IP address in the Neighbor field and select outside for the Interface. Click OK.

    gre-ipsec-ospf-44.gif

  48. Verify that the information is correct and click Apply. This action completes the configuration.

    gre-ipsec-ospf-45.gif

Choose File > Show Running Configuration in New Window in order to view the CLI configuration.

gre-ipsec-ospf-46.gif

ASA Local

ASA Version 7.X
no names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 30.30.30.1 255.255.255.0

!--- This line allows the unicast of OSPF over the IPsec tunnel.

ospf network point-to-point non-broadcast

!--- This line is optional and not required for OSPF to work.
!--- Enable this option only if you want to enable MD5 digest for OSPF.

ospf message-digest-key 10 md5 cisco
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
enable password cisco encrypted
passwd cisco encrypted
hostname Local
ftp mode passive


!--- These access control list (ACL) entries define
!--- interesting traffic for IPsec encryption and allow
!--- the traffic to bypass NAT. Note that OSPF is permitted and only
!--- in the crypto ACL.


same-security-traffic permit intra-interface
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ospf interface outside host 40.40.40.2
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image disk0:/asdm-502.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface



!--- Do not translate traffic with NAT.


nat (inside) 0 access-list nonat
nat (inside) 10 10.10.10.0 255.255.255.0
!


!--- This is OSPF.
!--- Note: You must define the outside network of the remote peer.


router ospf 100
network 10.10.10.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0


!--- This is where OSPF is told where the
!--- PEER is located.



neighbor 40.40.40.2 interface outside
log-adj-changes
!


!--- This is a host based static. This is not always
!--- necessary, but recommended to prevent recursive routing loops when
!--- OSPF comes up over the IPsec tunnel.





route outside 40.40.40.2 255.255.255.255 30.30.30.2 1
route outside 0.0.0.0 0.0.0.0 30.30.30.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 sunrpc 0:10:00
h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.4.50 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp


!--- This is the IPsec and IKE/ISAKMP configuration.
!--- Make sure basic IPsec connectivity is present
!--- before you add in OSPF.


crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 40.40.40.2
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set security-association lifetime seconds 86400
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400

telnet timeout 5
ssh timeout 5
console timeout 0



tunnel-group 40.40.40.2 type ipsec-l2l
tunnel-group 40.40.40.2 ipsec-attributes
pre-shared-key cisco

class-map inspection_default
match default-inspection-traffic

policy-map asa_global_fw_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy asa_global_fw_policy global
Cryptochecksum:3d5f16a67ec0fa20aa3882acaa348e28
: end

ASA Remote

ASA Version 7.X
no names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 40.40.40.2 255.255.255.0

!--- This line allows the unicast of OSPF over to
!--- the IPsec tunnel.

ospf network point-to-point non-broadcast

!--- This line is optional and not required for OSPF to work.
!--- Enable this option only if you want to enable MD5 digest for OSPF.

ospf message-digest-key 10 md5 cisco


!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 20.20.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
enable password cisco encrypted
passwd cisco encrypted
hostname Remote
ftp mode passive


!--- These ACL entries define interesting traffic for IPsec encryption and allow
!--- the traffic to bypass NAT. Note that OSPF is permitted and only in the crypto ACL.


same-security-traffic permit intra-interface
access-list nonat extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list crypto extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list crypto extended permit ospf interface outside host 30.30.30.1


pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image disk0:/asdm-502.bin
no asdm history enable
arp timeout 14400
global (outside) 20 interface



!--- Do not translate traffic with NAT.

nat (inside) 0 access-list nonat
nat (inside) 20 20.20.20.0 255.255.255.0
!


!--- This is OSPF.
!--- Note: You must define the remote peer's outside network.


router ospf 100
network 20.20.20.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0


!--- This is where the OSPF is told where the PEER is located.



neighbor 30.30.30.1 interface outside
log-adj-changes
!


!--- This is a host based static. This is not always necessary, but recommended to
prevent recursive routing loops when OSPF comes up over the IPsec tunnel.


route outside 0.0.0.0 0.0.0.0 40.40.40.1 1
route outside 30.30.30.1 255.255.255.255 40.40.40.1 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 sunrpc 0:10:00
h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.4.50 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp


!--- This is the IPsec configuration. Make sure basic IPsec connectivity is present
before you add in OSPF.


crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map vpn 10 match address crypto
crypto map vpn 10 set peer 30.30.30.1
crypto map vpn 10 set transform-set myset
crypto map vpn interface outside

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400


telnet timeout 5
ssh timeout 5
console timeout 0




tunnel-group 30.30.30.1 type ipsec-l2l
tunnel-group 30.30.30.1 ipsec-attributes
pre-shared-key cisco

class-map inspection_default
match default-inspection-traffic

policy-map asa_global_fw_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy asa_global_fw_policy global
Cryptochecksum:3d5f16a67ec0fa20aa3882acaa348e28
: end

Enable Reverse Route Injection (RRI)

In order to inject the information of the remote LAN-to-LAN VPN networks into the OSPF running network, refer to Verify that Routing is Correct for CLI configuration and LAN²LAN Network RRI for ASDM configuration.

Verify

Use this section to confirm that your configuration works properly.

The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

  • logging buffer debugging—Shows the establishment of connections and denial of connections to hosts that go through the PIX. The PIX log buffer stores the information. You can see the output if you use the show log command.

You can use ASDM in order to enable logging and to view the logs:

  • show crypto isakmp sa—Shows the Internet Security Association and Key Management Protocol (ISAKMP) security association (SA) that is built between peers.

    Local#show crypto isakmp sa

    Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1

    1 IKE Peer: 40.40.40.2
    Type : L2L Role : initiator
    Rekey : no State : MM_ACTIVE


    Remote#show crypto isa sa

    Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1

    1 IKE Peer: 30.30.30.1
    Type : L2L Role : responder
    Rekey : no State : MM_ACTIVE
  • show crypto ipsec sa—Shows each Phase 2 SA that is built and the amount of traffic that is sent.

    Local#show crypto ipsec sa
    interface: outside
    Crypto map tag: vpn, local addr: 30.30.30.1

    local ident (addr/mask/prot/port): (30.30.30.1/255.255.255.255/89/0)
    remote ident (addr/mask/prot/port): (40.40.40.2/255.255.255.255/89/0)
    current_peer: 40.40.40.2

    #pkts encaps: 355, #pkts encrypt: 355, #pkts digest: 355
    #pkts decaps: 355, #pkts decrypt: 355, #pkts verify: 355
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 355, #pkts comp failed: 0, #pkts decomp failed: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt.: 30.30.30.1, remote crypto endpt.: 40.40.40.2

    path mtu 1500, ipsec overhead 60, media mtu 1500
    current outbound spi: 83444440

    inbound esp sas:
    spi: 0xAE9AB30C (2929373964)
    transform: esp-3des esp-sha-hmac
    in use settings ={L2L, Tunnel, }
    slot: 0, conn_id: 1, crypto-map: vpn
    sa timing: remaining key lifetime (kB/sec): (3824976/25399)
    IV size: 8 bytes
    replay detection support: Y
    outbound esp sas:
    spi: 0x83444440 (2202289216)
    transform: esp-3des esp-sha-hmac
    in use settings ={L2L, Tunnel, }
    slot: 0, conn_id: 1, crypto-map: vpn
    sa timing: remaining key lifetime (kB/sec): (3824975/25396)
    IV size: 8 bytes
    replay detection support: Y


    Remote#show crypto ipsec sa
    interface: outside
    Crypto map tag: vpn, local addr: 40.40.40.2

    local ident (addr/mask/prot/port): (40.40.40.2/255.255.255.255/89/0)
    remote ident (addr/mask/prot/port): (30.30.30.1/255.255.255.255/89/0)
    current_peer: 30.30.30.1

    #pkts encaps: 364, #pkts encrypt: 364, #pkts digest: 364
    #pkts decaps: 364, #pkts decrypt: 364, #pkts verify: 364
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 364, #pkts comp failed: 0, #pkts decomp failed: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt.: 40.40.40.2, remote crypto endpt.: 30.30.30.1

    path mtu 1500, ipsec overhead 60, media mtu 1500
    current outbound spi: AE9AB30C

    inbound esp sas:
    spi: 0x83444440 (2202289216)
    transform: esp-3des esp-sha-hmac
    in use settings ={L2L, Tunnel, }
    slot: 0, conn_id: 1, crypto-map: vpn
    sa timing: remaining key lifetime (kB/sec): (4274975/25301)
    IV size: 8 bytes
    replay detection support: Y
    outbound esp sas:
    spi: 0xAE9AB30C (2929373964)
    transform: esp-3des esp-sha-hmac
    in use settings ={L2L, Tunnel, }
    slot: 0, conn_id: 1, crypto-map: vpn
    sa timing: remaining key lifetime (kB/sec): (4274975/25300)
    IV size: 8 bytes
    replay detection support: Y
  • show ospf neighbor—Shows OSPF neighbor relationships have formed.

    Local#show ospf neighbor
    Neighbor ID Pri State Dead Time Address Interface
    40.40.40.2 1 FULL/ - 0:00:38 40.40.40.2 outside
    11.11.11.11 1 FULL/DR 0:00:33 10.10.10.2 inside

    Remote#show ospf neighbor
    Neighbor ID Pri State Dead Time Address Interface
    30.30.30.1 1 FULL/ - 0:00:38 30.30.30.1 outside
    22.22.22.22 1 FULL/DR 0:00:38 20.20.20.2 inside
  • show debug—Displays the debug output.

    Local(config)#show debug
    debug crypto ipsec enabled at level 1
    debug crypto engine enabled at level 1
    debug crypto isakmp enabled at level 1

    May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    IKE SA MM:ec9c234a rcv'd Terminate: state MM_ACTIVE flags 0x0021c042,
    ref2cnt 1, tuncnt 1
    May 25 12:49:21 [IKEv1 DEBUG]: sending delete/delete with reason message
    May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    constructing blank hash
    May 25 12:49:21 [IKEv1 DEBUG]: constructing IPSec delete payload
    May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    constructing qm hash
    May 25 12:49:21 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message
    (msgid=df6487d8) with payloads : HDR + HASH (8) + DELETE (12) + NONE
    (0) total length : 64
    May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    Active unit receives a delete event for remote peer 40.40.40.2.

    May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    IKE Deleting SA: Remote Proxy 40.40.40.2, Local Proxy 30.30.30.1
    May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    IKE SA MM:ec9c234a terminating: flags 0x0121c002, refcnt 0, tuncnt 0
    May 25 12:49:21 [IKEv1 DEBUG]: sending delete/delete with reason message
    May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    constructing blank hash
    May 25 12:49:21 [IKEv1 DEBUG]: constructing IKE delete payload
    May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    constructing qm hash
    May 25 12:49:21 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message
    (msgid=ec167928) with payloads : HDR + HASH (8) + DELETE (12) + NONE
    (0) total length : 76
    May 25 12:49:21 [IKEv1 DEBUG]: pitcher: received key delete msg, spi 0x504ea964
    May 25 12:49:21 [IKEv1 DEBUG]: pitcher: received key delete msg, spi 0x79fbcb2d
    28-05-05-ASA5520-2(config)# May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2,
    processing SA payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Oakley proposal is acceptable
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received Fragmentation VID
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, IKE Peer included IKE
    fragmentation capability flags: Main Mode: True Aggressive Mode: True
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing IKE SA
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, IKE SA Proposal # 1,
    Transform # 1 acceptable Matches global IKE entry # 3
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing ISA_SA for isakmp
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing Fragmentation
    VID + extended capabilities payload
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message
    (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total
    length : 108
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE RECEIVED Message
    (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR
    (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing ke payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing ISA_KE
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing nonce payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received Cisco Unity client VID
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received xauth V6 VID
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Processing VPN3000/ASA
    spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received Altiga/Cisco
    VPN3000/Cisco ASA GW VID
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing ke payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing nonce payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing Cisco Unity
    VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing xauth V6 VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Send IOS VID
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Constructing ASA spoofing IOS
    Vendor ID payload (version: 1.0.0, capabilities: 20000001)
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Send Altiga/Cisco
    VPN3000/Cisco ASA GW VID
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, Connection landed on tunnel_group
    40.40.40.2
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    Generating keys for Responder...
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message
    (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) +
    VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE RECEIVED Message
    (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (14)
    + VENDOR (13) + NONE (0) total length : 92
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    Processing ID
    May 25 12:49:39 [IKEv1 DECODE]: ID_IPV4_ADDR ID received
    40.40.40.2
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    processing hash
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    computing hash
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Processing IOS keep
    alive payload: proposal=32767/32767 sec.
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    processing VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    Received DPD VID
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, Connection landed on
    tunnel_group 40.40.40.2
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    constructing ID
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    construct hash payload
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    computing hash
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Constructing IOS
    keep alive payload: proposal=32767/32767 sec.
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    constructing dpd vid payload
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING
    Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) +
    IOS KEEPALIVE (14) + VENDOR (13) + NONE (0) total length : 92
    May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
    PHASE 1 COMPLETED
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, Keep-alive type for
    this connection: DPD
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    Starting phase 1 rekey timer: 73440000 (ms)
    May 25 12:49:39 [IKEv1 DECODE]: IP = 40.40.40.2, IKE Responder starting
    QM: msg id = 0529ac6b
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE RECEIVED Message
    (msgid=529ac6b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10)
    + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    processing hash
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    processing SA payload
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    processing nonce payload
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    Processing ID
    May 25 12:49:39 [IKEv1 DECODE]: ID_IPV4_ADDR ID received
    40.40.40.2
    May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
    Received remote Proxy Host data in ID Payload: Address 40.40.40.2,
    Protocol 89, Port 0
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    Processing ID
    May 25 12:49:39 [IKEv1 DECODE]: ID_IPV4_ADDR ID received
    30.30.30.1
    May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
    Received local Proxy Host data in ID Payload: Address 30.30.30.1,
    Protocol 89, Port 0
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    Processing Notify payload
    May 25 12:49:39 [IKEv1]: QM IsRekeyed old sa not found by addr
    May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
    Static Crypto Map check, checking map = vpn, seq = 10...
    May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
    Static Crypto Map check, map vpn, seq = 10 is a successful match
    May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
    IKE Remote Peer configured for SA: vpn
    May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
    processing IPSEC SA
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    IPSec SA Proposal # 1, Transform # 1 acceptable Matches global
    IPSec SA entry # 10
    May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
    IKE: requesting SPI!
    May 25 12:49:39 [IKEv1]: Received unexpected event
    EV_ACTIVATE_NEW_SA in state MM_ACTIVE
    May 25 12:49:40 [IKEv1 DEBUG]: IKE got SPI from key engine: SPI = 0xf629186e
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    oakley constucting quick mode
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    constructing blank hash
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    constructing ISA_SA for ipsec
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    constructing ipsec nonce payload
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    constructing proxy ID
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    Transmitting Proxy Id:
    Remote host: 40.40.40.2 Protocol 89 Port 0
    Local host: 30.30.30.1 Protocol 89 Port 0
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    constructing qm hash
    May 25 12:49:40 [IKEv1 DECODE]: IKE Responder sending 2nd QM pkt:
    msg id = 0529ac6b
    May 25 12:49:40 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message
    (msgid=529ac6b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10)
    + ID (5) + ID (5) + NONE (0) total length : 156
    May 25 12:49:40 [IKEv1]: IP = 40.40.40.2, IKE DECODE RECEIVED Message
    (msgid=529ac6b) with payloads : HDR + HASH (8) + NONE (0) total length : 48
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    processing hash
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    loading all IPSEC SAs
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    Generating Quick Mode Key!
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
    Generating Quick Mode Key!
    May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
    Security negotiation complete for LAN-to-LAN Group (40.40.40.2)
    Responder, Inbound SPI = 0xf629186e, Outbound SPI = 0x524e01e4
    May 25 12:49:40 [IKEv1 DEBUG]: IKE got a KEY_ADD msg for SA: SPI = 0x524e01e4
    May 25 12:49:40 [IKEv1 DEBUG]: pitcher: rcv KEY_UPDATE, spi 0xf629186e
    May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
    Starting P2 Rekey timer to expire in 24480 seconds
    May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
    PHASE 2 COMPLETED (msgid=0529ac6b)

Verify that the LAN-to-LAN connection passes routing traffic by checking the routers:

  • show ip route—Displays IP routing table entries.

    Left#show ip route
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
    i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
    * - candidate default, U - per-user static route, o - ODR
    P - periodic downloaded static route

    Gateway of last resort is 10.10.10.1 to network 0.0.0.0

    20.0.0.0/24 is subnetted, 1 subnets
    O 20.20.20.0 [110/30] via 10.10.10.1, 00:59:37, Ethernet0
    22.0.0.0/32 is subnetted, 1 subnets
    O 22.22.22.22 [110/31] via 10.10.10.1, 00:59:37, Ethernet0
    40.0.0.0/24 is subnetted, 1 subnets
    O 40.40.40.0 [110/30] via 10.10.10.1, 00:59:37, Ethernet0
    10.0.0.0/24 is subnetted, 1 subnets
    C 10.10.10.0 is directly connected, Ethernet0
    11.0.0.0/24 is subnetted, 1 subnets
    C 11.11.11.0 is directly connected, Loopback11
    30.0.0.0/24 is subnetted, 1 subnets
    O 30.30.30.0 [110/20] via 10.10.10.1, 00:59:38, Ethernet0
    S* 0.0.0.0/0 [1/0] via 10.10.10.1


    Left#ping 20.20.20.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 20.20.20.2, timeout is 2 seconds:
    !!!!!

    Right#show ip route
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
    i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
    * - candidate default, U - per-user static route, o - ODR
    P - periodic downloaded static route

    Gateway of last resort is 20.20.20.1 to network 0.0.0.0

    20.0.0.0/24 is subnetted, 1 subnets
    C 20.20.20.0 is directly connected, Ethernet0
    22.0.0.0/24 is subnetted, 1 subnets
    C 22.22.22.0 is directly connected, Loopback22
    40.0.0.0/24 is subnetted, 1 subnets
    O 40.40.40.0 [110/20] via 20.20.20.1, 01:01:45, Ethernet0
    10.0.0.0/24 is subnetted, 1 subnets
    O 10.10.10.0 [110/30] via 20.20.20.1, 01:01:45, Ethernet0
    11.0.0.0/32 is subnetted, 1 subnets
    O 11.11.11.11 [110/31] via 20.20.20.1, 01:01:45, Ethernet0
    30.0.0.0/24 is subnetted, 1 subnets
    O 30.30.30.0 [110/30] via 20.20.20.1, 01:01:46, Ethernet0
    S* 0.0.0.0/0 [1/0] via 20.20.20.1


    Right#ping 10.10.10.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms