Introduction
This document provides a sample configuration for a VPN/IPsec with Open Shortest Path First (OSPF) on Cisco PIX Security Appliance Software Version 7.x or Cisco Adaptive Security Appliance (ASA). PIX/ASA 7.x allows OSPF unicast to run over an existing VPN connection. You no longer need to configure a Generic Routing Encapsulation (GRE) tunnel.
Prerequisites
Requirements
Ensure that you can establish the VPN connection before you attempt this configuration.
Components Used
The information in this document is based on these software and hardware versions:
-
Cisco 2500 that runs Cisco IOS® Software Release 12.1 and later
-
Cisco 2500 that runs Cisco IOS Software Release 12.0 and later
-
ASA 5500 Security Appliance running Software Version 7.x and later
Note: The PIX 500 Series Version 7.x/8.x runs the same software seen in ASA 5500 Version 7.x/8.x. The configurations in this document are applicable to both product lines.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool ( registered customers only) to obtain more information on the commands used in this section.
Network Diagram
This document uses this network setup:
Configurations
This document uses these configurations:
Router Left |
---|
version 12.1 |
Router House |
---|
version 12.0 |
Configure the PIX/ASA Security Appliance Version 7.x
You can use the Advanced Security Device Manager (ASDM) in order to configure the PIX/ASA Security Appliance by either the command-line interface (CLI) or GUI. The configuration in this section is for the ASA "Local". You configure the ASA "Remote" in the same way and only adjust for the differences in IP addressing.
Console into the PIX/ASA to configure the PIX/ASA Security Appliance version 7.x. From a cleared configuration, use the interactive prompts in order to enable the ASDM GUI for the management of the PIX/ASA from workstation 10.10.10.3.
Note: If the OSPF neighbor does not come up, consider the option to reduce the maximum transmission unit (MTU) size.
PIX/ASA-ASDM Bootstrap |
---|
Pre-configure Firewall now through interactive prompts [yes]? |
Use ASDM
Complete these steps in order to configure via the ASDM GUI:
-
From workstation 10.10.10.3, open a browser and use ASDM.
In this example, you use https://10.10.10.1.
-
Click Yes on the certificate prompts.
-
Log in with the enable password.
This login appears in the PIX/ASA-ASDM Bootstrap configuration.
-
Make a selection at the prompt to use ASDM Launcher or ASDM as a Java App.
This prompt appears only if this is the first time that you have run ASDM on the PC. This example has selected and installed the ASDM Launcher.
-
Go to the ASDM Home window and click the Configuration tab.
-
Choose Interface > Edit in order to configure the outside interface.
-
Click OK.
-
Enter the interface details and click OK when complete.
-
Click OK in the Security Level Change dialog box.
-
Click Apply in order to accept the interface configuration.
The configuration also gets pushed onto the PIX.
Note: This example uses static routes.
-
Choose Features > Routing > Static Route and click Add.
-
Configure the default gateway and click OK.
-
Configure a host based static for the remote peer in order to avoid possible recursive routing when OSPF comes up and then click OK.
-
Click Apply in order to accept the routing configuration.
The configuration also gets pushed onto the PIX.
-
Choose Wizards > VPN Wizard in order to use the VPN Wizard and create the LAN-to-LAN connection.
-
In the VPN Wizard window, click Next where Site-to-Site is the default selection.
-
Add the Peer IP Address, Tunnel Group Name (which is the IP address), and Pre-Shared Key information, and click Next.
-
Add the Encryption type, Authentication type, DH Group information, and click Next.
-
Add the IPsec parameters, Encryption type, Authentication type information, and click Next.
-
Configure the inside host network. Click Add in order to move the address to the Selected Host/Networks field within this window. Click Next when complete.
-
Configure the outside host network. Click Add in order to move the address to the Selected Host/Networks field within this window. Click Next when complete.
-
Review the Summary for accuracy, then click Next.
-
Choose Configuration > VPN in order to verify the LAN-to-LAN tunnel configurations that the VPN Wizard created.
-
Create an access list in order to allow OSPF traffic to go across the VPN.
This VPN access list is for the OSPF routes that are learned. Choose Configuration > VPN.
-
Choose IPSec > IPSec Rules and click Add.
-
Add the OSPF neighbor (IP address) data in this window and click OK.
Note: Be sure that you work on the outside interface.
-
Verify that the information is correct and click Apply.
-
Choose Configuration > NAT and click Translation Exemption Rules in order to verify the Network Address Translation (NAT) configurations that the VPN Wizard created.
-
Because this example uses NAT, uncheck the check box for Enable traffic through the firewall without address translation, then click Add. This step configures the NAT Rule.
-
Configure the Source Network. Click Browse in order to define the NAT pool addresses for the inside. Then select outside for Translate Address on Interface and click Manage Pools.
-
Select the outside interface and click Add.
-
Because Port Address Translation (PAT) uses the IP address of the interface in this example, click Port Address Translation (PAT) using the IP address of the interface.
-
Click OK after you configure the PAT pools.
-
In the Add Address Translation Rule window, select the Address Pool that the configured Source Network is to use.
-
Click OK. This window shows the output from the NAT configuration.
-
Click Apply in order to save the configuration.
-
Choose Configuration > Routing > OSPF > Setup, go to the Process Instances tab and check Enable this OSPF Process in order to set up OSPF on the PIX.
-
Choose Area/Networks and click Add.
-
Enter the IP Address and Netmask of one network in the OSPF process field and click OK (MD5 was chosen to show it as an optional element, but is not required).
-
Verify that the information is correct and click Edit.
-
Enter the IP Address and Netmask of the second network and outside remote peer in the OSPF process field and click OK.
-
Verify that the information is correct and click Apply.
-
Choose OSPF > Interface > Properties > Outside and click Edit.
-
Uncheck Broadcast on the outside interface.
Note: This must be unicast.
-
Check the Broadcast column for the outside interface in order to verify that the selection is no and click Apply.
-
Choose OSPF > Static Neighbor and click Add.
-
Enter the IP address in the Neighbor field and select outside for the Interface. Click OK.
-
Verify that the information is correct and click Apply. This action completes the configuration.
Choose File > Show Running Configuration in New Window in order to view the CLI configuration.
ASA Local |
---|
ASA Version 7.X |
ASA Remote |
---|
ASA Version 7.X |
Enable Reverse Route Injection (RRI)
In order to inject the information of the remote LAN-to-LAN VPN networks into the OSPF running network, refer to Verify that Routing is Correct for CLI configuration and LAN²LAN Network RRI for ASDM configuration.
Verify
Use this section to confirm that your configuration works properly.
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.
-
logging buffer debugging—Shows the establishment of connections and denial of connections to hosts that go through the PIX. The PIX log buffer stores the information. You can see the output if you use the show log command.
You can use ASDM in order to enable logging and to view the logs:
-
show crypto isakmp sa—Shows the Internet Security Association and Key Management Protocol (ISAKMP) security association (SA) that is built between peers.
Local#show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 40.40.40.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Remote#show crypto isa sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 30.30.30.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE -
show crypto ipsec sa—Shows each Phase 2 SA that is built and the amount of traffic that is sent.
Local#show crypto ipsec sa
interface: outside
Crypto map tag: vpn, local addr: 30.30.30.1
local ident (addr/mask/prot/port): (30.30.30.1/255.255.255.255/89/0)
remote ident (addr/mask/prot/port): (40.40.40.2/255.255.255.255/89/0)
current_peer: 40.40.40.2
#pkts encaps: 355, #pkts encrypt: 355, #pkts digest: 355
#pkts decaps: 355, #pkts decrypt: 355, #pkts verify: 355
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 355, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 30.30.30.1, remote crypto endpt.: 40.40.40.2
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 83444440
inbound esp sas:
spi: 0xAE9AB30C (2929373964)
transform: esp-3des esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: vpn
sa timing: remaining key lifetime (kB/sec): (3824976/25399)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x83444440 (2202289216)
transform: esp-3des esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: vpn
sa timing: remaining key lifetime (kB/sec): (3824975/25396)
IV size: 8 bytes
replay detection support: Y
Remote#show crypto ipsec sa
interface: outside
Crypto map tag: vpn, local addr: 40.40.40.2
local ident (addr/mask/prot/port): (40.40.40.2/255.255.255.255/89/0)
remote ident (addr/mask/prot/port): (30.30.30.1/255.255.255.255/89/0)
current_peer: 30.30.30.1
#pkts encaps: 364, #pkts encrypt: 364, #pkts digest: 364
#pkts decaps: 364, #pkts decrypt: 364, #pkts verify: 364
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 364, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 40.40.40.2, remote crypto endpt.: 30.30.30.1
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: AE9AB30C
inbound esp sas:
spi: 0x83444440 (2202289216)
transform: esp-3des esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: vpn
sa timing: remaining key lifetime (kB/sec): (4274975/25301)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xAE9AB30C (2929373964)
transform: esp-3des esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: vpn
sa timing: remaining key lifetime (kB/sec): (4274975/25300)
IV size: 8 bytes
replay detection support: Y -
show ospf neighbor—Shows OSPF neighbor relationships have formed.
Local#show ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
40.40.40.2 1 FULL/ - 0:00:38 40.40.40.2 outside
11.11.11.11 1 FULL/DR 0:00:33 10.10.10.2 inside
Remote#show ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
30.30.30.1 1 FULL/ - 0:00:38 30.30.30.1 outside
22.22.22.22 1 FULL/DR 0:00:38 20.20.20.2 inside -
show debug—Displays the debug output.
Local(config)#show debug
debug crypto ipsec enabled at level 1
debug crypto engine enabled at level 1
debug crypto isakmp enabled at level 1
May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
IKE SA MM:ec9c234a rcv'd Terminate: state MM_ACTIVE flags 0x0021c042,
ref2cnt 1, tuncnt 1
May 25 12:49:21 [IKEv1 DEBUG]: sending delete/delete with reason message
May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
constructing blank hash
May 25 12:49:21 [IKEv1 DEBUG]: constructing IPSec delete payload
May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
constructing qm hash
May 25 12:49:21 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message
(msgid=df6487d8) with payloads : HDR + HASH (8) + DELETE (12) + NONE
(0) total length : 64
May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
Active unit receives a delete event for remote peer 40.40.40.2.
May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
IKE Deleting SA: Remote Proxy 40.40.40.2, Local Proxy 30.30.30.1
May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
IKE SA MM:ec9c234a terminating: flags 0x0121c002, refcnt 0, tuncnt 0
May 25 12:49:21 [IKEv1 DEBUG]: sending delete/delete with reason message
May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
constructing blank hash
May 25 12:49:21 [IKEv1 DEBUG]: constructing IKE delete payload
May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
constructing qm hash
May 25 12:49:21 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message
(msgid=ec167928) with payloads : HDR + HASH (8) + DELETE (12) + NONE
(0) total length : 76
May 25 12:49:21 [IKEv1 DEBUG]: pitcher: received key delete msg, spi 0x504ea964
May 25 12:49:21 [IKEv1 DEBUG]: pitcher: received key delete msg, spi 0x79fbcb2d
28-05-05-ASA5520-2(config)# May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2,
processing SA payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Oakley proposal is acceptable
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received Fragmentation VID
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, IKE Peer included IKE
fragmentation capability flags: Main Mode: True Aggressive Mode: True
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing IKE SA
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, IKE SA Proposal # 1,
Transform # 1 acceptable Matches global IKE entry # 3
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing ISA_SA for isakmp
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing Fragmentation
VID + extended capabilities payload
May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message
(msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total
length : 108
May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE RECEIVED Message
(msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR
(13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing ke payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing ISA_KE
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing nonce payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received Cisco Unity client VID
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received xauth V6 VID
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Processing VPN3000/ASA
spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received Altiga/Cisco
VPN3000/Cisco ASA GW VID
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing ke payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing nonce payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing Cisco Unity
VID payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing xauth V6 VID payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Send IOS VID
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Constructing ASA spoofing IOS
Vendor ID payload (version: 1.0.0, capabilities: 20000001)
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing VID payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Send Altiga/Cisco
VPN3000/Cisco ASA GW VID
May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, Connection landed on tunnel_group
40.40.40.2
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
Generating keys for Responder...
May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message
(msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) +
VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE RECEIVED Message
(msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (14)
+ VENDOR (13) + NONE (0) total length : 92
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
Processing ID
May 25 12:49:39 [IKEv1 DECODE]: ID_IPV4_ADDR ID received
40.40.40.2
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
processing hash
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
computing hash
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Processing IOS keep
alive payload: proposal=32767/32767 sec.
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
processing VID payload
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
Received DPD VID
May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, Connection landed on
tunnel_group 40.40.40.2
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
constructing ID
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
construct hash payload
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
computing hash
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Constructing IOS
keep alive payload: proposal=32767/32767 sec.
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
constructing dpd vid payload
May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING
Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) +
IOS KEEPALIVE (14) + VENDOR (13) + NONE (0) total length : 92
May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
PHASE 1 COMPLETED
May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, Keep-alive type for
this connection: DPD
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
Starting phase 1 rekey timer: 73440000 (ms)
May 25 12:49:39 [IKEv1 DECODE]: IP = 40.40.40.2, IKE Responder starting
QM: msg id = 0529ac6b
May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE RECEIVED Message
(msgid=529ac6b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10)
+ ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
processing hash
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
processing SA payload
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
processing nonce payload
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
Processing ID
May 25 12:49:39 [IKEv1 DECODE]: ID_IPV4_ADDR ID received
40.40.40.2
May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
Received remote Proxy Host data in ID Payload: Address 40.40.40.2,
Protocol 89, Port 0
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
Processing ID
May 25 12:49:39 [IKEv1 DECODE]: ID_IPV4_ADDR ID received
30.30.30.1
May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
Received local Proxy Host data in ID Payload: Address 30.30.30.1,
Protocol 89, Port 0
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
Processing Notify payload
May 25 12:49:39 [IKEv1]: QM IsRekeyed old sa not found by addr
May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
Static Crypto Map check, checking map = vpn, seq = 10...
May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
Static Crypto Map check, map vpn, seq = 10 is a successful match
May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
IKE Remote Peer configured for SA: vpn
May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
processing IPSEC SA
May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
IPSec SA Proposal # 1, Transform # 1 acceptable Matches global
IPSec SA entry # 10
May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
IKE: requesting SPI!
May 25 12:49:39 [IKEv1]: Received unexpected event
EV_ACTIVATE_NEW_SA in state MM_ACTIVE
May 25 12:49:40 [IKEv1 DEBUG]: IKE got SPI from key engine: SPI = 0xf629186e
May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
oakley constucting quick mode
May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
constructing blank hash
May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
constructing ISA_SA for ipsec
May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
constructing ipsec nonce payload
May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
constructing proxy ID
May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
Transmitting Proxy Id:
Remote host: 40.40.40.2 Protocol 89 Port 0
Local host: 30.30.30.1 Protocol 89 Port 0
May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
constructing qm hash
May 25 12:49:40 [IKEv1 DECODE]: IKE Responder sending 2nd QM pkt:
msg id = 0529ac6b
May 25 12:49:40 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message
(msgid=529ac6b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10)
+ ID (5) + ID (5) + NONE (0) total length : 156
May 25 12:49:40 [IKEv1]: IP = 40.40.40.2, IKE DECODE RECEIVED Message
(msgid=529ac6b) with payloads : HDR + HASH (8) + NONE (0) total length : 48
May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
processing hash
May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
loading all IPSEC SAs
May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
Generating Quick Mode Key!
May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,
Generating Quick Mode Key!
May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
Security negotiation complete for LAN-to-LAN Group (40.40.40.2)
Responder, Inbound SPI = 0xf629186e, Outbound SPI = 0x524e01e4
May 25 12:49:40 [IKEv1 DEBUG]: IKE got a KEY_ADD msg for SA: SPI = 0x524e01e4
May 25 12:49:40 [IKEv1 DEBUG]: pitcher: rcv KEY_UPDATE, spi 0xf629186e
May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
Starting P2 Rekey timer to expire in 24480 seconds
May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
PHASE 2 COMPLETED (msgid=0529ac6b)
Verify that the LAN-to-LAN connection passes routing traffic by checking the routers:
-
show ip route—Displays IP routing table entries.
Left#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.10.10.1 to network 0.0.0.0
20.0.0.0/24 is subnetted, 1 subnets
O 20.20.20.0 [110/30] via 10.10.10.1, 00:59:37, Ethernet0
22.0.0.0/32 is subnetted, 1 subnets
O 22.22.22.22 [110/31] via 10.10.10.1, 00:59:37, Ethernet0
40.0.0.0/24 is subnetted, 1 subnets
O 40.40.40.0 [110/30] via 10.10.10.1, 00:59:37, Ethernet0
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, Ethernet0
11.0.0.0/24 is subnetted, 1 subnets
C 11.11.11.0 is directly connected, Loopback11
30.0.0.0/24 is subnetted, 1 subnets
O 30.30.30.0 [110/20] via 10.10.10.1, 00:59:38, Ethernet0
S* 0.0.0.0/0 [1/0] via 10.10.10.1
Left#ping 20.20.20.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.2, timeout is 2 seconds:
!!!!!
Right#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 20.20.20.1 to network 0.0.0.0
20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, Ethernet0
22.0.0.0/24 is subnetted, 1 subnets
C 22.22.22.0 is directly connected, Loopback22
40.0.0.0/24 is subnetted, 1 subnets
O 40.40.40.0 [110/20] via 20.20.20.1, 01:01:45, Ethernet0
10.0.0.0/24 is subnetted, 1 subnets
O 10.10.10.0 [110/30] via 20.20.20.1, 01:01:45, Ethernet0
11.0.0.0/32 is subnetted, 1 subnets
O 11.11.11.11 [110/31] via 20.20.20.1, 01:01:45, Ethernet0
30.0.0.0/24 is subnetted, 1 subnets
O 30.30.30.0 [110/30] via 20.20.20.1, 01:01:46, Ethernet0
S* 0.0.0.0/0 [1/0] via 20.20.20.1
Right#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms