Tải bản đầy đủ - 0 (trang)
Chapter 4. Common IPsec VPN Issues

Chapter 4. Common IPsec VPN Issues

Tải bản đầy đủ - 0trang

IPsecandRecursiveRouting



IPsecDiagnosticToolswithinCiscoIOS

Themostcommonlyusedcategoriesofdiagnostictoolsused

withinCiscoIOSareshowanddebugcommands.Throughout

thecourseofthischapter,wewillusevariationsofthesetwo

commandsetstodiagnoseissuescommonlyfoundwithinCisco

IOS.Aswe'vediscussed,therearedetailedstepsthatoccur

duringtheformationofInternetSecurityAssociationandKey

ManagementProtocol(ISAKMP)andIPsecnegotiationbetween

twoIPsecVPNendpoints.Wewillexaminecommonerrorsin

thesestepsthroughexecutionofthefollowingdebugging

commandswithinIOS:

debugcryptoisakmp

debugcryptoIPsec

Additionally,wewillexploreseveralshowcommandsnecessary

touncovercommonerrorsandperformanceissuesrelatedto

thenegotiateofIPsecVPNtunnels,including

fragmentation/maximumtransmissionunit(MTU)issues,

qualityofservice(QoS)issues,NetworkAddressTranslation

(NAT)issues,andissuesrelatingtorecursiverouting.Asubset

ofthecommandswewilldiscusstoaddresstheseissues

includes:

showcryptoisakmpsa

showcryptoisakmpsanat

showcryptoIPsecsa

showcryptoengineconnectionsactive



showcryptoengineconnectionsdropped-packet

showcryptoengineconnectionsflow

showcryptoengineqos



CommonConfigurationIssueswithIPsecVPNs

Therearemanyparametersandfeaturestounderstandwhen

deployingIPsecVPNs.Inthissection,wewilldiscuss

configurationissuespresentedwhenoneormoreIPsecVPN

gatewaysareconfiguredincorrectly.Afterdiscussingthenature

ofeachoftheabovecommonlyexperiencedIPsecVPN

configurationissues,wewilldiscussthemethodsusedto

effectivelydiagnoseandremedytheseissues.



IKESAProposalMismatches

UnlessIPsecsessionkeysaremanuallydefined,twocrypto

endpointsmustagreeuponanISAKMPpolicytousewhen

negotiatingthesecureInternetKeyExchange(IKE)channel,or

ISAKMPsecurityassociation(SA).Assuch,whentwoVPN

endpointsfailtoagreeuponausableISAKMPpolicy,IPsecSA

negotiationcannotinitiate,andtrafficwillcontinuetoflow

unencrypted.

Figure2-24andFigure2-25provideabriefdescriptionof

ISAKMPpolicynegotiationprocessinmainmodeandaggressive

moderespectivelyandtheinvolvedconfigurationontwoVPN

endpoints.AlsorememberfromourdiscussionsinChapter2

thatISAKMPpoliciesarelistedinorderofpriority(thelower

numberbeingthehighestpriority).Theinitiatorwillofferthe

highestpriorityproposal,andtheresponderwillsearchits

locallyconfiguredISAKMPpoliciesforamatch.Ifthereare

none,theinitiatorwillproposethenexthighestISAKMPpolicy

anddefineitslocalconfiguration.Thisprocesswillcontinueuntil

theinitiatorhasnoproposalslefttooffertheresponder.The

result,inthiscase,wouldbeanISAKMPSAproposalmismatch.

UsingtheconfigurationsprovidedinExample4-1andExample

4-2,Router_AandRouter_BwillattempttoformanIKESA



betweenoneanotherusingthetopologyillustratedinFigure41.



Figure4-1.ISAKMPSANegotiationResultingin

ISAKMPProposalMismatch



[Viewfullsizeimage]



Example4-1providestheISAKMPpoliciesconfiguredfor

Router_AinFigure4-1.Notethat,inthisconfiguration,there

arenoISAKMPproposalsconfiguredthatmatchthose

configuredonRouter_BinExample4-2.



Example4-1.CryptoISAKMPPolicyDefinitionfor

Router_AinFigure4-1(MismatchwithRouter_B,

Example4-2)



Router_A#showcryptoisakmppolicy

GlobalIKEpolicy

Protectionsuiteofpriority10

encryptionalgorithm:ThreekeytripleDES

hashalgorithm:MessageDigest5

authenticationmethod:Pre-SharedKey

Diffie-Hellmangroup:#2(1024bit)

lifetime:86400seconds,novolumelimit

Protectionsuiteofpriority20

encryptionalgorithm:DES-DataEncryptionStandard(56bitkeys).

hashalgorithm:SecureHashStandard

authenticationmethod:Pre-SharedKey

Diffie-Hellmangroup:#2(1024bit)

lifetime:86400seconds,novolumelimit



Protectionsuiteofpriority30

encryptionalgorithm:AES-AdvancedEncryptionStandard(128bitkeys).

hashalgorithm:SecureHashStandard

authenticationmethod:Rivest-Shamir-AdlemanSignature

Diffie-Hellmangroup:#1(768bit)

lifetime:86400seconds,novolumelimit

Defaultprotectionsuite

encryptionalgorithm:DES-DataEncryptionStandard(56bitkeys).

hashalgorithm:SecureHashStandard

authenticationmethod:Rivest-Shamir-AdlemanSignature

Diffie-Hellmangroup:#1(768bit)

lifetime:86400seconds,novolumelimit



Example4-2providestheISAKMPpolicyconfigurationon

Router_BofFigure4-1.Router_Bwillusethispolicywhen

buildinganISAKMPSAtoRouter_A,whoseISAKMPpolicyis

providedinExample4-1.BecauseRouter_B'sISAKMP

configurationcontainsnomatchingproposalswithRouter_A's

configurationprovidedinExample4-1,ISAKMPnegotiationwill

fail.



Example4-2.CryptoISAKMPPolicyDefinitionfor

Router_BinFigure4-1(MismatchwithRouter_B,

Example4-1)



Router_B#showcryptoisakmppolicy



GlobalIKEpolicy

Protectionsuiteofpriority10

encryptionalgorithm:AES-AdvancedEncryptionStandard(128bitkeys).

hashalgorithm:MessageDigest5

authenticationmethod:Pre-SharedKey

Diffie-Hellmangroup:#5(1536bit)

lifetime:86400seconds,novolumelimit

Protectionsuiteofpriority20

encryptionalgorithm:ThreekeytripleDES

hashalgorithm:MessageDigest5

authenticationmethod:Rivest-Shamir-AdlemanSignature

Diffie-Hellmangroup:#1(768bit)

lifetime:86400seconds,novolumelimit

Protectionsuiteofpriority30

encryptionalgorithm:DES-DataEncryptionStandard(56bitkeys).



hashalgorithm:SecureHashStandard

authenticationmethod:Pre-SharedKey

Diffie-Hellmangroup:#2(1024bit)

lifetime:86400seconds,novolumelimit

Defaultprotectionsuite

encryptionalgorithm:DES-DataEncryptionStandard(56bitkeys).

hashalgorithm:SecureHashStandard

authenticationmethod:Rivest-Shamir-AdlemanSignature

Diffie-Hellmangroup:#1(768bit)

lifetime:86400seconds,novolumelimit



Thefollowingnumberedsequenceofeventsdescribesthe

ISAKMPproposalmismatchbetweentheconfigurationsprovided

inExample4-1forRouter_AinFigure4-1andExample4-2for

Router_BinFigure4-1.

1. RouterAsendsitsconfiguredISAKMPpolicies10,20,and

30toRouterB.

2. RouterBcheckspolicy10obtainedinstep1againstitsown

configuredpolicies,beginningwiththelowestnumbered

policyandendingwiththehighest.

3. IfRouterBdoesnotfindamatchinstep2,itcheckspolicy

20obtainedinstep1againstitsownconfiguredpolicies,

startingwiththelowestnumberedandendingwiththe

highest.

4. IfRouterBdoesnotfindamatchinstep3,itcheckspolicy

30obtainedinstep1againstitsownconfiguredpolicies,

startingwiththelowestnumberedandendingwiththe

highest.

5. IfRouterBdoesnotfindamatchinstep4,thenaproposal

mismatchhasoccurred,andthePhase1negotiationtimes

out.



InordertoconfirmthatIKEproposalmismatcheshaveoccurred

inanIPsecVPNtunnelnegotiation,wewillinspecttheoutputof

theISAKMPSAnegotiationbetweenRoutersAandB.RoutersA

andBareusingpresharedIKEauthenticationinasite-to-site

VPN,buthavenotbeenconfiguredwithmatchingISAKMP

policies.Wewillexecutethecommanddebugcryptoisakmp

onroutersAandBtohighlightthatanIKEproposalmismatch

isindeedthecauseofISAKMPSAnegotiationfailure.Example

4-3displaysdebuggingoutputasISAKMPpoliciesproposedby

Router_Aarecheckedagainstlocallyconfiguredpolicieson

Router_B.

InthediagnosticoutputshowninExample4-3,Router_B

checksproposalssentfromRouter_Aforpotentialmatches.

Router_BbeginsbycheckingtheISAKMPproposalssentfrom

Router_AagainstitsownconfiguredISAKMPproposals.Itdoes

thisbycheckingalloftheproposalsreceived(startingwith

lowestnumberedandendingwithhighest)againstfavored

policy(lowestnumbered).Iftherearenomatches,itchecks

thereceivedpoliciesinthesameorderagainstitsnext-lowestnumberedpolicy.Thisprocesscontinuesuntilamatchisfound

orallpolicieshavebeencheckedandnomatchhasbeenfound.

Inthisspecificproposal,theencryptionproposedforencrypting

theIKEchanneldoesnotmatch(seeExamples4-2and4-3for

ISAKMPproposalinformationforRouter_AandRouter_B),and

RouterBcontinuestocheckotherofferedproposalsagainstits

locallyconfiguredISAKMPpolicies.Example4-3,line12,

confirmsthataproposalmismatchhasoccurred.Router_Bfinds

thatnoISAKMPproposalssentfromRouter_Amatchitsown

configuredISAKMPpoliciesandthereforedeletesthePhase1SA

andPhase1negotiationtimesoutonRouter_A,asconfirmedin

Example4-3,line18.



Example4-3.IsolatingIKEProposalMismatches

ontheInitiatingVPNEndpoint(RouterA)



1Router_B#debugcryptoisakmp

2CryptoISAKMPdebuggingison

3!

4!

5*Feb1612:11:02.379:ISAKMP:(0:0:N/A:0):CheckingISAKMPtransform1againstpriority

10policy

6*Feb1612:11:02.379:ISAKMP:encryption3DES-CBC

7*Feb1612:11:02.379:ISAKMP:hashMD5

8*Feb1612:11:02.379:ISAKMP:defaultgroup2

9*Feb1612:11:02.379:ISAKMP:authpre-share

10*Feb1612:11:02.379:ISAKMP:lifetypeinseconds

11*Feb1612:11:02.379:ISAKMP:lifeduration(VPI)of0x00x10x510x80

12*Feb1612:11:02.379:ISAKMP:(0:0:N/A:0):Encryptionalgorithmoffereddoesnotmatch

policy!

13!

14!

15*Feb1612:11:02.379:ISAKMP:(0:0:N/A:0):nooffersaccepted!

16*Feb1612:11:02.379:ISAKMP:(0:0:N/A:0):phase1SApolicynotacceptable!(local

200.0.0.2remote200.0.0.1)

17*Feb1612:11:02.379:ISAKMP:(0:0:N/A:0):peerdoesnotdoparanoidkeepalives.

18*Feb1612:11:02.379:ISAKMP:(0:0:N/A:0):deletingSAreason"Phase1SApolicyproposal

notaccepted"state(R)MM_NO_STATE(peer200.0.0.1)



UntilthetwoendpointscanagreeonanISAKMPpolicytouse

whensecuringtheIKEchannelandnegotiatingaDiffie-Hellman

keytousewhenencryptingtheIKEexchangesandintheIPsec

transform,IPsecVPNtunnelnegotiationcannotcontinue.

AnothertaskthatmustbeperformedsuccessfullyforIPsecVPN

tunnelnegotiationtocontinueisIKEauthentication.



IKEAuthenticationFailuresandErrors

Recallfromourpreviousdiscussionsthat,inCiscoIOS,there

arethreemethodsofferedtoauthenticatepeerswantingto

negotiateanISAKMPSA:presharedkeys(PSKs),RSA

signatures,orRSAencryption.AswehaddiscussedinChapter

2,allthreeauthenticationmethodshavedistinctelementsused

whenauthenticatingIKEPeers.WewilldiscusscommonIKE

authenticationfailureissueswithinthecontextofeachofthese

threeauthenticationmethods.



IKEAuthenticationErrorsandPSKs

TherearetwoconditionsthatmustbemetfortwoIPsecVPN

endpointstoauthenticateeachotherusingIKEPSKs.First,

matchingkeysmustbeconfiguredonthetwoendpoints.

Second,theendpointsmustbeconfiguredtosharethesekeys

withthecorrectpeer.Router_AandRouter_Barenow

configuredwithmatchingISAKMPpoliciesforPhase1

negotiation,butstillhaveproblemspreventingthemfrom

authenticatingoneanother.Wewillexaminedebuggingoutput

ontheroutersinFigure4-2tohighlightauthenticationfailures

directlyattributabletomismatchedkeysandmismatchedpeers.



Figure4-2.TroubleshootingIKEPSK

Authentication



[Viewfullsizeimage]



Example4-4providestheconfigurationofRouter_AinFigure42.Notethat,unlikeRouter_A'sconfigurationinFigure4-1,

Router_AisnowconfiguredwithanISAKMPpolicythatcontains

amatchingproposal(Example4-4,priority30)withRouter_B

(Example4-5,priority10).Inthiscase,however,IKEwillstill

failtonegotiateduetoamismatchedPSKonRouter_A

(Example4-4,line32)andRouter_B(Example4-5,line32).



Example4-4.MismatchedIKEPSKonRouter_A

(CorrespondswithMismatchedKeyforRouter_B

inExample4-5)



1Router_A#showcryptoisakmppolicy

2

3GlobalIKEpolicy

4#<--ISAKMPPolicy10MatchesRouter_B'sISAKMPProposal30(Example4-5below)-->

5Protectionsuiteofpriority10

6encryptionalgorithm:ThreekeytripleDES

7hashalgorithm:MessageDigest5

8authenticationmethod:Pre-SharedKey

9Diffie-Hellmangroup:#2(1024bit)

10lifetime:86400seconds,novolumelimit

11Protectionsuiteofpriority20

12encryptionalgorithm:DES-DataEncryptionStandard(56bitkeys).

13hashalgorithm:SecureHashStandard

14authenticationmethod:Pre-SharedKey

15Diffie-Hellmangroup:#2(1024bit)

16lifetime:86400seconds,novolumelimit

17Protectionsuiteofpriority30

18encryptionalgorithm:AES-AdvancedEncryptionStandard(128bitkeys).

19hashalgorithm:SecureHashStandard

20authenticationmethod:Pre-SharedKey

21Diffie-Hellmangroup:#5(1536bit)

22lifetime:86400seconds,novolumelimit

23Defaultprotectionsuite

24encryptionalgorithm:DES-DataEncryptionStandard(56bitkeys).

25hashalgorithm:SecureHashStandard

26authenticationmethod:Rivest-Shamir-AdlemanSignature

27Diffie-Hellmangroup:#1(768bit)

28lifetime:86400seconds,novolumelimit

29Router_A#showcryptoisakmpkey

30KeyringHostname/AddressPSK

31

32default200.0.0.2tarheels



Example4-5providestheconfigurationofRouter_BinFigure42.NotethatRouter_B'sISAKMPproposallistedwithpriority10

(Example4-4,lines5-10)willmatchRouter_A'sproposallisted

withpriority30(Example4-4,lines17-22).However,IKEwill

stillfailbecauseofmismatchedPSKsonRouter_A(Example44,line32)andRouter_B(Example4-5,line32).



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 4. Common IPsec VPN Issues

Tải bản đầy đủ ngay(0 tr)

×