In a recent post here on the INE blog, we received some follow-up questions similar to the following:
“Why do IPSec peers end up using tunnel mode, even though we had explicitly configured transport mode in the IPSec transform-set?”
It is an excellent question, and here is the answer. In a site to site IPSec tunnel the “mode transport” setting is only used when the traffic to be protected (traffic matching the Crypto ACLs) has the same IP addresses as the IPSec peers, and excludes all other IP addresses. When Crypto ACLs include IP addresses beyond of the 2 peer endpoints the “mode transport” setting is ignored, and tunnel mode is negotiated (due to IP addresses, other than the 2 peers, being part of the crypto ACL). There is also an option for the key word “require” after “mode transport” which will prevent the peers from negotiating tunnel mode, and if the IP addresses in the Crypto ACLs are outside of the peers’s own IP addresses, IKE phase 2 will not successfully complete.
One notable exception to this, is GET VPN, where the KS policy of tunnel mode or transport mode will be used by the group members (whichever mode the KS has configured), regardless of the IP addresses used in the KS ACL for policy.
Below is a site to site example. Let’s use the following topology, with R1 and R3 being peers, and a Crypto ACL that says to encrypt all ICMP traffic, regardless of the IP addresses. This Crypto ACL will cause our peers to ignore the mode transport option, and negotiate tunnel mode.
Below are the full configs, some debug output, and show commands to demonstrate that even with transport mode explicitly configured in the transform sets, if the crypto ACLs don’t exclusively include the endpoints of the VPN tunnel, the two peers go ahead and negotiate tunnel mode instead of transport mode. Note the Crypto ACL includes all ICMP from any source to any destination.
First, here is R1:
“Why do IPSec peers end up using tunnel mode, even though we had explicitly configured transport mode in the IPSec transform-set?”
It is an excellent question, and here is the answer. In a site to site IPSec tunnel the “mode transport” setting is only used when the traffic to be protected (traffic matching the Crypto ACLs) has the same IP addresses as the IPSec peers, and excludes all other IP addresses. When Crypto ACLs include IP addresses beyond of the 2 peer endpoints the “mode transport” setting is ignored, and tunnel mode is negotiated (due to IP addresses, other than the 2 peers, being part of the crypto ACL). There is also an option for the key word “require” after “mode transport” which will prevent the peers from negotiating tunnel mode, and if the IP addresses in the Crypto ACLs are outside of the peers’s own IP addresses, IKE phase 2 will not successfully complete.
One notable exception to this, is GET VPN, where the KS policy of tunnel mode or transport mode will be used by the group members (whichever mode the KS has configured), regardless of the IP addresses used in the KS ACL for policy.
Below is a site to site example. Let’s use the following topology, with R1 and R3 being peers, and a Crypto ACL that says to encrypt all ICMP traffic, regardless of the IP addresses. This Crypto ACL will cause our peers to ignore the mode transport option, and negotiate tunnel mode.
Below are the full configs, some debug output, and show commands to demonstrate that even with transport mode explicitly configured in the transform sets, if the crypto ACLs don’t exclusively include the endpoints of the VPN tunnel, the two peers go ahead and negotiate tunnel mode instead of transport mode. Note the Crypto ACL includes all ICMP from any source to any destination.
First, here is R1:
R1#show run ! hostname R1 ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set MYSET esp-aes esp-sha-hmac mode transport ! crypto map MYMAP 10 ipsec-isakmp set peer 23.0.0.3 set transform-set MYSET match address 100 ! interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 crypto map MYMAP ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ! access-list 100 permit icmp any any ! endNow for R3
R3#show run ! hostname R3 ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set MYSET esp-aes esp-sha-hmac mode transport ! crypto map MYMAP 10 ipsec-isakmp set peer 10.0.0.1 set transform-set MYSET match address 100 ! interface FastEthernet0/1 ip address 23.0.0.3 255.255.255.0 crypto map MYMAP ! router ospf 1 network 0.0.0.0 255.255.255.255 area 0 ! access-list 100 permit icmp any any ! end R3#Let’s enable debug of crypto isakmp, and send a couple sets of PING requests from R3 to R1
R3#debug crypto isakmp Crypto ISAKMP debugging is on R3#ping 10.0.0.1 source 23.0.0.3 repeat 10Here is the relevant portion of the debug output:
ISAKMP (0:1001): received packet from 10.0.0.1 dport 500 sport 500 Global (I) QM_IDLE
ISAKMP:(1001): processing HASH payload. message ID = 1137801467
ISAKMP:(1001): processing SA payload. message ID = 1137801467
ISAKMP:(1001):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1 (Tunnel)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
SAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 128
ISAKMP:(1001):atts are acceptable.
To verify the tunnel mode is in place, we can look at the details of the SA:R3# show crypto ipsec sa interface: FastEthernet0/1 Crypto map tag: MYMAP, local addr 23.0.0.3 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0) current_peer 10.0.0.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9 #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 23.0.0.3, remote crypto endpt.: 10.0.0.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1 current outbound spi: 0x96474B70(2521254768) inbound esp sas: spi: 0x59B117E1(1504778209) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, crypto map: MYMAP sa timing: remaining key lifetime (k/sec): (4399136/3319) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x96474B70(2521254768) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, crypto map: MYMAP sa timing: remaining key lifetime (k/sec): (4399136/3319) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:Thanks for the question, and best wishes in all of your studies!
0 comments:
Post a Comment