Converting crypto map to unnumbered VTI

Discussion in 'Cisco' started by Mike Gauthier, Nov 8, 2007.

  1. I'm trying to convert a crypto map VPN to a ip unnumbered VTI. The crypto
    map has been working for months. The VTI... no so much. Here are the
    applicable config entries.

    ### original config
    !
    crypto isakmp policy 30
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp key xxxxxxxx address 10.1.1.10
    !
    crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    !
    crypto map CRYPTO 50 ipsec-isakmp
    set peer 10.1.1.10
    set transform-set 3DES-SHA
    set pfs group2
    match address VPN1
    !
    ip access-list extended VPN1
    permit ip host 172.16.16.10 host 10.5.5.1
    permit ip host 172.16.16.10 host 10.5.5.4

    I only removed the crypto map and added the following.

    ### New Config
    crypto ipsec profile V1
    set security-association lifetime seconds 28800
    set transform-set 3DES-SHA
    set pfs group2
    !
    interface Tunnel0
    ip unnumbered FastEthernet0/0
    ip nat outside
    ip virtual-reassembly
    tunnel source 172.16.8.1
    tunnel destination 10.1.1.10
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile V1

    I keep getting this ISAKMP error now.

    ISAKMP:(0:54:HW:2):deleting SA reason "Recevied fatal informational" state
    (I) QM_IDLE (peer 10.1.1.10)

    Any help would be greatly appreciated. Also... I have no idea what is
    running on the other end (it's a partner network), but I suspect it's a
    crypto map on IOS.

    Thank you!

    MikeG
     
    Mike Gauthier, Nov 8, 2007
    #1
    1. Advertisements

  2. Mike Gauthier

    Darren Green Guest

    Mike,

    Hi.

    Before you go any further I would recommend that you find out what you
    are connecting to.

    Using VTI's is different from using static crypto maps. On a VTI you
    do not define (AFAIK) a crypto ACL. Using a VTI is like saying permit
    ip any any in a crypto acl.

    On the remote end if they are running e.g a PIX or router with a
    standard crypto map, there will be a crypto-acl which you should be
    mirroring, I suspect this is not the case though.

    Any reason why you wanted to use a VTI ?

    Regards

    Darren
     
    Darren Green, Nov 9, 2007
    #2
    1. Advertisements

  3. Mike Gauthier

    Merv Guest

    You may want to compare debug isakmp form working and non-working
    setups:

    1. post show version and show interface tu 0

    2. return to original config

    3. capture debug isakmp sa

    4.configure IPSEC profile with crypto map

    5. capture debug isakmp sa with this setup

    6. config new config with VTI setup

    7.capture debug isakmp sa with this setup


    In main mode, there will be an exchange of 6 IIKE packets.
    The VTI tunnel interface will not come up until the SA are built
    (i.e it will be in up - down state)
     
    Merv, Nov 10, 2007
    #3
  4. Actually, not knowing what's on the other end is part of the exercise.
    My employer has thought it a good idea to offer VPN connectivity to our
    clients. Clients can mean a large corporation and a proper networking
    team, but mostly it means a small to medium sized business with limited
    network skills. Then... there can also be a language barrier as we're a
    global company.

    I understand what you mean about not having a crypto ACL on a VTI. There
    is a permit ip any any (you'll see it if you do a show crypto sesseion),
    but you can apply an ACL to the tun interface to simulate one. This is
    how I suspect one would mirror the crypto ACL.

    I want to use a VTI for monitoring purposes. Since it is an interface,
    it can be monitored (both state and bandwith). I'm trying to make what
    could turn into a large number of VPNs much easier for our support team
    to support. With a VTI, we can show support a green or red light per VPN
    tunnel. We can't really do that with a crypto map (that I'm aware of).

    Thanks for the reply BTW. Appreciate it Farren.

    Regards,

    MikeG
     
    Mike Gauthier, Nov 11, 2007
    #4
  5. --
    Router#sho ver
    Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
    12.4(12), RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2006 by Cisco Systems, Inc.
    Compiled Fri 17-Nov-06 12:02 by prod_rel_team

    ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

    qsv-cvpnc1 uptime is 3 days, 15 hours, 28 minutes
    System returned to ROM by reload at 00:39:57 UTC Thu Nov 8 2007
    System image file is "flash:c2800nm-advipservicesk9-mz.124-12.bin"


    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.

    A summary of U.S. laws governing Cisco cryptographic products may be
    found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

    If you require further assistance please contact us by sending email to
    .

    Cisco 2811 (revision 53.50) with 249856K/12288K bytes of memory.
    Processor board ID FTX1048A3RX
    2 FastEthernet interfaces
    2 Serial interfaces
    2 Virtual Private Network (VPN) Modules
    DRAM configuration is 64 bits wide with parity enabled.
    239K bytes of non-volatile configuration memory.
    62720K bytes of ATA CompactFlash (Read/Write)

    Configuration register is 0x2102
    --

    Can't do a show int tun0 right now because...
    .. . .I've done just this.
    I did that, but the only error I was seeing was
     
    Mike Gauthier, Nov 11, 2007
    #5
  6. Mike Gauthier

    Merv Guest

    Router#sho ver

    IOBTW IOS 12.4(12) has been yanked by Cisco.

    You should upgrade to a newer maintenance version of 12.4
     
    Merv, Nov 11, 2007
    #6
  7. Mike Gauthier

    Merv Guest

    2. return to original config


    .. . .I've done just this.


    I did that, but the only error I was seeing was


    =========================================

    Mike, it looks like your reply got clipped.


    Did you see any issues in the output of debug isakmp sa for the
    original config ?
     
    Merv, Nov 11, 2007
    #7
  8. Weird. My post did get clipped.

    The only error I saw from my debug isakmp was the following.

    ISAKMP0:54:HW:2):deleting SA reason "Recevied fatal informational" state
    (I) QM_IDLE (peer 10.1.1.10)

    I'd get QM_IDLE for a second and then that error. I see nothing in Phase
    2. No send errors, no encrypt/decrypt errors. Nothing.

    Got your email BTW. Thank you.

    MikeG
     
    Mike Gauthier, Nov 12, 2007
    #8
  9. Mike Gauthier

    Merv Guest

    Mike,

    1. Upgrade IOS software to a supported maintenance release

    2. test IPSEC profile using crypto map command on the FastEtherent
    interface
    crypto map V1TEST 10 ipsec-isakmp profile V1
     
    Merv, Nov 12, 2007
    #9
  10. Mike Gauthier

    Merv Guest

    Also try disable agressive mode to see if it make any difference

    crypto isakmp aggressive-mode disable
     
    Merv, Nov 12, 2007
    #10
  11. Mike Gauthier

    Merv Guest

    Merv, Nov 12, 2007
    #11
  12. I've grabbed some spare 3825s that were destined for a data center
    upgrade in Europe. I built a small lab network today and will be testing
    several different aspects of VTIs, crypto maps, and NAT tomorrow.

    Thank you for your help Merv. Quite helpful, unfortunately, nothing
    seemed to help. Do you think PFS could have anything to do with it?
    This particular VPN uses it. Ah... I'll save for the playground tomorrow.

    Thanks again.

    MikeG
     
    Mike Gauthier, Nov 14, 2007
    #12
  13. Mike Gauthier

    Merv Guest

    Mike,

    Please post your results as the Cisco docs are pretty thin when it
    comes to VTI especially in the presence of NAT.

    Merv
     
    Merv, Nov 14, 2007
    #13
  14. Most definitely will. Hope to have something to post by the end of the
    day (unless more fires erupt... seems to always happen when I *WANT* to do
    a particular thing).

    MikeG
     
    Mike Gauthier, Nov 14, 2007
    #14
  15. It's been one fire after another this week (down lines in the
    Philippines, AC out in our lab, etc.). Hopefully I'll get to play around
    on Friday.

    MikeG
     
    Mike Gauthier, Nov 16, 2007
    #15
  16. I was finally able to devote some time to this! YAY!

    Here is my bottom line: monitoring VPN status on IOS routers pretty much
    sucks.

    I cannot convert my crypto maps to static VTIs because the crypto ACL
    cannot be modified. Usually this would not be a big deal, but I do not
    control the other end of the tunnel. Because of the static VTIs inherent
    "permit ip any any" encryption domain, this is not an option.

    I tried to use dynamic VTIs, but the encryption domain is a problem with
    this as well. With a DVTI, one can have *ONLY* a single line crypto
    ACL. Again, a problem because I do not control the other end of the
    tunnel.

    It really looks to me like it's best if I stick with the crypto map
    tunnels. They are definitely the most flexible and are pretty much
    guaranteed to work with whatever may be on the other end (given it does
    proper IPSEC).

    So... my new problem. My lab router is running 12.4(17) (c3825-
    advipservicek9-mz.124-17.bin). I have a working crypto map VPN running.
    I make the VPN go up. I make the VPN go down (clear crypto session).
    What happened to the %CRYPTO-5-SESSION_STATUS log messages? They used to
    show up (I set crazy debugging, but they're gone). I guess this no
    longer applies?

    http://cisco.com/en/US/products/ps6350/
    products_configuration_guide_chapter09186a0080455af9.html

    How can I monitor these tunnels now without the log entries?

    Thanks again for the help Merv. If anyone can shed some light on this,
    I'd really appreciate it.

    MikeG
     
    Mike Gauthier, Nov 27, 2007
    #16
  17. After speaking with TAC and their doing a little research, it turns out
    that the CRYPTO-5-SESSION_STATUS log messages must be turned on.
    According to TAC, this doesn't appear to be documented anywhere. Huh...
    interesting.

    conf t
    crypto logging session
    end

    Mike
     
    Mike Gauthier, Nov 28, 2007
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.