Mar
21

Bob took a moment to reflect back, and realize how far he had come over that past several months. He smiled to himself as he remembered how much he has learned about the technologies of  DMVPN, the ASA Firewall and IPSec, including GET VPN.

He had also improved his skills in MPLS, Multi-Protocol BGP, IOS IPS, EEM, and many other areas by using the sweet blog articles at INE.  (Shameless Plug :) ).

One Monday morning, as he was feeling refreshed from a rare weekend of no support calls, he was met by one of his co-workers with a technical riddle. Bob thought about it, googled it and then attempted to lab up a few solutions, all without success.

Your mission, should you choose to accept it, is to assist Bob by identifying the possible solution(s) to use IKE PHASE 1 in the desired way. Here is the topology, followed by the IPSec IKE Phase 1 riddle.

IKE Phase 1 Challenge

Here is the riddle.  Can you solve it for IKE Phase 1?

R1 and R2 will protect IP traffic between 4.0.0.0/24 and 6.0.0.0/24 using EasyVPN with R1 as the server,
and use Digital Certificates for the authentication of IKE Phase 1.

R1 and R2 will also protect traffic between 5.0.0.0/24 and 7.0.0.0/24 but use an IKE Phase 1 authentication
 of Pre-Shared of "cisco" associated with the protection of this traffic.

R3 may be used in any capacity for this task, including CA server, time server, etc.

Any and all ideas and observations are welcome, and you don’t need to provide a full working configuration to voice your opinion.  So let’s have it, can this even be done? ;)

From of all the ideas you offer as replies to this post, I am going to put all the names in a virtual hat, and draw a single winner for 50 rack tokens to our preferred rack vendor, Graded Labs. If you like, I can do a future blog with the detailed solutions, along with the name of the winner from the drawing.

Best wishes, and good luck!

 


You can leave a response, or trackback from your own site.

11 Responses to “IKE Phase 1 Riddle, and Bob needs your help!”

 
  1. Nick says:

    I think….

    R1 & R2 need an EzVPN & DMVPN configured between them. (R1 will be the HUB for both).

    ACL’s will match interesting traffic as “normal” in the crypto maps.

    The key to the solution is on the client and the “match identities” within the “iksamp profile”.

    I.E. the isakmp profile for the EzVPN client (R2) will match the certificate DN, the isakmp profile for the DMVPN clieant (R2) will match the IP address of the spoke (R1)

    Cisco Example of R1 is http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801eafcb.shtml

    R2 is a combination of DMVPN client from said example and the client config from http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008032b637.shtml

    Hope that’s right :-)
    rgds,
    Nick

  2. Igor says:

    My guess are ISAKMP profiles:
    First profile will use loopback IP address as local-address and self-identity address.
    Keyring will then refer to ISAKMP keys configured in global mode.
    This profile will match remote peer identity address of it’s loopback.

    Second profile will then use interface IP addresses and CA trustpoint to verify certificate.

  3. Fedia says:

    Interesting (but not live :) ) topology :)

    To my mind, to differenciate isakmp configs we have to use isakmp profiles and 2 VTI (virtual tunnel interfaces) with route-maps for PBR

    one isakmp profile will use certificates, and another – key-ring for pre-share authentication.

    But it’s only ideas: I’ve implement nothing similar to it.

    WBR, Sergei Fedorov, CCIE Sec, Moscow, Rus

  4. Jeff Norsworthy says:

    Using ISAKMP profiles you can create a profile matching local-address function. Using profile 1 matching 4.0.0.0/24 to 6.0.0.0/24 and using certificate authentication. A second profile can be created to match the local-address of 5.0.0.0/24 to 7.0.0.0/24 with pre-shared key.

  5. AJN says:

    Hi Anthony, this is a good break from R1S preparation :)

    hostname R1
    username ezvpnusername@ezvpngroup password 0 ezvpnpassword
    !
    crypto isakmp policy 57
    authentication pre-share
    crypto isakmp key cisco address 10.12.0.2
    !
    crypto isakmp client configuration group vpngroup
    key easykey
    dns 10.1.1.10
    wins 10.1.1.11
    pool remote_vpn_pool
    include-local-lan
    !
    !
    crypto ipsec transform-set 57 esp-3des esp-md5-hmac
    crypto ipsec transform-set transf_remote_vpn esp-3des esp-sha-hmac
    !
    crypto dynamic-map dyn_cry_remote_vpn 10
    set transform-set transf_remote_vpn
    reverse-route
    !
    !
    crypto map dyn_cry_remote_vpn client authentication list aaaremotevpn
    crypto map dyn_cry_remote_vpn isakmp authorization list aaaremotevpn
    crypto map dyn_cry_remote_vpn client configuration address respond
    !
    crypto map map57 1 ipsec-isakmp
    set peer 10.12.0.2
    set transform-set 57
    set pfs group2
    match address 100
    !
    !
    interface FastEthernet0/0
    ip address 4.0.0.1 255.255.255.0
    speed 100
    full-duplex
    !
    interface FastEthernet0/1
    ip address 10.12.0.1 255.255.255.0
    speed 100
    full-duplex
    crypto map map57
    !
    interface FastEthernet1/0
    ip address 5.0.0.1 255.255.255.0
    speed 100
    full-duplex
    !
    router ospf 12
    log-adjacency-changes
    network 4.0.0.0 0.0.0.255 area 0
    network 5.0.0.0 0.0.0.255 area 0
    network 10.12.0.0 0.0.0.255 area 0
    !
    ip local pool remote_vpn_pool 10.0.68.1 10.0.68.100

    !
    access-list 100 permit ip 5.0.0.0 0.0.0.255 7.0.0.0 0.0.0.255

    ——————————
    hostname R2

    crypto isakmp policy 75
    authentication pre-share
    !
    !
    crypto ipsec transform-set 75 esp-3des esp-md5-hmac
    !
    crypto ipsec client ezvpn hw-client
    connect auto
    group ezvpngroup key easykey
    mode client
    peer 10.12.0.1
    username ezvpnusername@ezvpngroup password ezvpnpassword
    xauth userid mode local
    !
    !
    crypto map map75 1 ipsec-isakmp
    set peer 10.12.0.1
    set transform-set 75
    set pfs group2
    match address 100
    !
    !
    interface FastEthernet0/0
    ip address 7.0.0.2 255.255.255.0
    speed 100
    full-duplex
    !
    interface FastEthernet0/1
    ip address 6.0.0.2 255.255.255.0
    speed 100
    full-duplex
    crypto ipsec client ezvpn hw-client inside
    !
    interface FastEthernet1/0
    ip address 10.12.0.2 255.255.255.0
    speed 100
    full-duplex
    crypto map map75
    crypto ipsec client ezvpn hw-client
    !
    router ospf 12
    log-adjacency-changes
    network 6.0.0.0 0.0.0.255 area 0
    network 7.0.0.0 0.0.0.255 area 0
    network 10.12.0.0 0.0.0.255 area 0
    access-list 100 permit ip 7.0.0.0 0.0.0.255 5.0.0.0 0.0.0.255

  6. MG says:

    Antony great task, I’ve tried to configure something like this:

    aaa authentication login CONSOLE none
    aaa authentication login easyVPN local
    aaa authorization network easyVPN local
    !

    crypto pki trustpoint TT
    enrollment mode ra
    enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll
    revocation-check none
    !
    !
    !
    crypto pki certificate map cert_map 10
    subject-name co easyvpn-group
    !
    crypto pki certificate chain TT
    certificate
    !
    —-cut—
    !
    username cisco password 0 cisco

    crypto keyring TUN
    pre-shared-key address 10.12.0.3 key cisco
    !
    crypto isakmp policy 2
    encr 3des
    group 2
    !
    crypto isakmp policy 10
    authentication pre-share
    crypto isakmp keepalive 30 5
    crypto isakmp nat keepalive 30
    crypto isakmp xauth timeout 10

    !
    crypto isakmp client configuration group easyvpn-group
    domain foo.com
    acl SPLIT
    save-password
    crypto isakmp profile easyvpn-group
    ca trust-point TT
    match identity group easyvpn-group
    match certificate cert_map
    client authentication list easyVPN
    isakmp authorization list easyVPN
    client configuration address respond
    virtual-template 1
    crypto isakmp profile TUN
    description for Tunnel0 interface
    keyring TUN
    match identity address 10.12.0.3 255.255.255.255
    local-address FastEthernet0/0
    !
    !
    crypto ipsec transform-set t1 esp-3des esp-sha-hmac
    !
    crypto ipsec profile prof
    set transform-set t1
    !
    !
    crypto map TEST 10 ipsec-isakmp
    set peer 10.12.0.3
    set transform-set t1
    set isakmp-profile TUN
    match address VPN
    !
    !
    interface Loopback4
    ip address 4.0.0.1 255.255.255.0
    !
    interface Loopback5
    ip address 5.0.0.1 255.255.255.0
    !
    interface FastEthernet0/0
    ip address 10.12.0.1 255.255.255.0
    duplex auto
    speed auto
    crypto map TEST
    !
    interface Virtual-Template1 type tunnel
    description EasyVPN for PSK users
    ip unnumbered FastEthernet0/0
    tunnel source FastEthernet0/0
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile prof
    !
    i
    ip access-list extended SPLIT
    permit ip 4.0.0.0 0.0.0.255 6.0.0.0 0.0.0.255

    ####r2

    crypto isakmp identity hostname
    crypto isakmp keepalive 10
    crypto isakmp profile TUN
    description for Tunnel0 interface
    keyring TUN
    match identity address 10.12.0.1 255.255.255.255
    local-address FastEthernet0/0
    crypto isakmp profile prof
    ca trust-point TT
    match identity address 10.12.0.1 255.255.255.255
    virtual-template 1
    local-address FastEthernet0/0
    !
    !
    crypto ipsec transform-set T1 esp-3des esp-sha-hmac
    crypto ipsec transform-set t1 esp-3des esp-sha-hmac
    !
    !
    crypto ipsec profile prof
    set transform-set t1
    set isakmp-profile prof
    !
    !
    crypto ipsec client ezvpn vpnserver
    connect manual
    mode network-extension
    peer 10.12.0.1 default
    virtual-interface 1
    username cisco password cisco
    xauth userid mode local
    !
    !
    crypto map TEST 10 ipsec-isakmp
    set peer 10.12.0.1
    set transform-set t1
    set isakmp-profile TUN
    match address VPN

    But this solution is not working, I’m waiting for correct solution :)

  7. MG says:

    Hi,

    maybe you can give us some hint – I tried to configure with two isakmp profiles as you can see in my previous comment. With only one profiles ezvpn is working fine but when I added second profile with keyring both tunnels stops working.

  8. Paul Alexander says:

    Hmm, can we use GETVPN for the pre-shared part using “cisco” as the pre shared key??

    Those crypto maps get put on the VLAN5 and VLAN7 interfaces. Therefore not affecting the digital certs…

    Use R3 as the KS.

  9. Paul Alexander says:

    Without testing it, im now not so sure the crypto’s will work to encrypt ingress traffic, and decrypt egress for GETVPN.

    Nevertheless, if the crypto is on the interface between R1 & R2…the isakmp negotiation is still unnafected.

  10. Paul Stewart says:

    I think in current IOS a router can be both a EZ VPN client and server. Just on initial guess, I would make R1 and R2 both servers and clients with the correct ISAKMP policies that they are to respond to.

  11. [...] IKE Phase 1 Riddle, and Bob needs your help! [...]

    Nick, Igor, Fedia, Jeff, AJN, MG, Paul A and Paul S- Thanks for all the great responses. I just did a new post with a full solution! Thanks again. http://blog.ine.com/2010/03/27/ike-phase-1-didnt-phase-you-and-bob-is-ecstatic-about-the-help/

 

Leave a Reply

Categories

CCIE Bloggers