Downloads |
Table Of Contents
Prerequisites for IPSec VPN Accounting
Information About IPSec VPN Accounting
IKE and IPSec Subsystem Interaction
How to Configure IPSec VPN Accounting
Configuring IPSec VPN Accounting
Configuring Accounting Updates
Troubleshooting for IPSec VPN Accounting
Configuration Examples for IPSec VPN Accounting
Accounting and ISAKMP-Profile Example
Accounting Without ISAKMP Profiles Example
IPSec VPN Accounting
The IPSec VPN Accounting feature allows for a session to be accounted for by indicating when the session starts and when it stops.
A VPN session is defined as an Internet Key Exchange (IKE) security association (SA) and the one or more SA pairs that are created by the IKE SA. The session starts when the first IP Security (IPSec) pair is created and stops when all IPSec SAs are deleted.
Session identifying information and session usage information is passed to the Remote Authentication Dial-In User Service (RADIUS) server via standard RADIUS attributes and vendor-specific attributes (VSAs).
Feature Specifications for IPSec VPN Accounting
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for IPSec VPN Accounting
•
•
•
Prerequisites for IPSec VPN Accounting
You need to understand how to configure RADIUS and authentication, authorization, and accounting (AAA) accounting. For information about configuring RADIUS and AAA, refer to the following documents:
•
•
•
•
You also need to know how to configure IPSec accounting. For information about configuring IPSec accounting, refer to the chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide, Release 12.2.
Information About IPSec VPN Accounting
To configure IPSec VPN accounting, you must understand the following concepts:
•
RADIUS Accounting
For many large networks, it is required that user activity be recorded for auditing purposes. The method that is used most is RADIUS accounting.
RADIUS accounting allows for a session to be accounted for by indicating when the session starts and when it stops. Additionally, session identifying information and session usage information will be passed to the RADIUS server via RADIUS attributes and VSAs.
RADIUS Start Accounting
The RADIUS Start packet contains many attributes that generally identify who is requesting the service and of what the property of that service consists. Table 1 represents the attributes required for the start.
RADIUS Stop Accounting
The RADIUS Stop packet contains many attributes that identify the usage of the session. Table 2 represents the additional attributes required for the RADIUS stop packet. It is possible that only the stop packet will be sent without the start if configured to do so. If only the stop packet is sent, this allows an easy way to reduce the number of records going to the AAA server.
RADIUS Update Accounting
RADIUS accounting updates are supported. Packet and octet counts are shown in the updates. To learn more about AAA, refer to the following documents:
•
•
•
•
IKE and IPSec Subsystem Interaction
Accounting Start
If IPSec accounting is configured, after IKE phases are complete, an accounting start record is generated for the session. New accounting records are not generated during a rekeying.
The following is an account start record that was generated on a router and that is to be sent to the AAA server that is defined:
*Aug 23 04:06:20.131: RADIUS(00000002): sending*Aug 23 04:06:20.131: RADIUS(00000002): Send Accounting-Request to 10.1.1.4:1646 id 4, len 220*Aug 23 04:06:20.131: RADIUS: authenticator 38 F5 EB 46 4D BE 4A 6F - 45 EB EF 7D B7 19 FB 3F*Aug 23 04:06:20.135: RADIUS: Acct-Session-Id [44] 10 "00000001"*Aug 23 04:06:20.135: RADIUS: Vendor, Cisco [26] 31*Aug 23 04:06:20.135: RADIUS: Cisco AVpair [1] 25 "isakmp-group-id=cclient"*Aug 23 04:06:20.135: RADIUS: Framed-IP-Address [8] 6 10.13.13.1*Aug 23 04:06:20.135: RADIUS: Vendor, Cisco [26] 20*Aug 23 04:06:20.135: RADIUS: Cisco AVpair [1] 14 "vrf-id=cisco"*Aug 23 04:06:20.135: RADIUS: Vendor, Cisco [26] 35*Aug 23 04:06:20.135: RADIUS: Cisco AVpair [1] 29 "isakmp-initator-ip=11.1.2.2"*Aug 23 04:06:20.135: RADIUS: Vendor, Cisco [26] 36*Aug 23 04:06:20.135: RADIUS: Cisco AVpair [1] 30 "connect-progress=No Progress"*Aug 23 04:06:20.135: RADIUS: User-Name [1] 13 "joe@cclient"*Aug 23 04:06:20.135: RADIUS: Acct-Status-Type [40] 6 Start [1]*Aug 23 04:06:20.135: RADIUS: Vendor, Cisco [26] 25*Aug 23 04:06:20.135: RADIUS: cisco-nas-port [2] 19 "FastEthernet0/0.1"*Aug 23 04:06:20.135: RADIUS: NAS-Port [5] 6 0*Aug 23 04:06:20.135: RADIUS: NAS-IP-Address [4] 6 10.1.1.147*Aug 23 04:06:20.135: RADIUS: Acct-Delay-Time [41] 6 0*Aug 23 04:06:20.139: RADIUS: Received from id 21645/4 10.1.1.4:1646, Accounting-response, len 20*Aug 23 04:06:20.139: RADIUS: authenticator B7 E3 D0 F5 61 9A 89 D8 - 99 A6 8A 8A 98 79 9D 5DAccounting Stop
An accounting stop packet is generated when there are no more flows (IPSec SA pairs) with the remote peer.
The accounting stop records contain the following information:
•
•
•
•
•
Below is an account start record that was generated on a router. The account start record is to be sent to the AAA server that is defined.
*Aug 23 04:20:16.519: RADIUS(00000003): Using existing nas_port 0*Aug 23 04:20:16.519: RADIUS(00000003): Config NAS IP: 100.1.1.147*Aug 23 04:20:16.519: RADIUS(00000003): sending*Aug 23 04:20:16.519: RADIUS(00000003): Send Accounting-Request to 100.1.1.4:1646 id 19, len 238*Aug 23 04:20:16.519: RADIUS: authenticator 82 65 5B 42 F0 3F 17 C3 - 23 F3 4C 35 A2 8A 3E E6*Aug 23 04:20:16.519: RADIUS: Acct-Session-Id [44] 10 "00000002"*Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 20*Aug 23 04:20:16.519: RADIUS: Cisco AVpair [1] 14 "vrf-id=cisco"*Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 35*Aug 23 04:20:16.519: RADIUS: Cisco AVpair [1] 29 "isakmp-initator-ip=11.1.1.2"*Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 36*Aug 23 04:20:16.519: RADIUS: Cisco AVpair [1] 30 "connect-progress=No Progress"*Aug 23 04:20:16.519: RADIUS: Acct-Session-Time [46] 6 709*Aug 23 04:20:16.519: RADIUS: Acct-Input-Octets [42] 6 152608*Aug 23 04:20:16.519: RADIUS: Acct-Output-Octets [43] 6 152608*Aug 23 04:20:16.519: RADIUS: Acct-Input-Packets [47] 6 1004*Aug 23 04:20:16.519: RADIUS: Acct-Output-Packets [48] 6 1004*Apr 23 04:20:16.519: RADIUS: Acct-Input-Giga-Word[52] 6 0*Apr 23 04:20:16.519: RADIUS: Acct-Output-Giga-Wor[53] 6 0*Aug 23 04:20:16.519: RADIUS: Acct-Terminate-Cause[49] 6 none [0]*Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 32*Aug 23 04:20:16.519: RADIUS: Cisco AVpair [1] 26 "disc-cause-ext=No Reason"*Aug 23 04:20:16.519: RADIUS: Acct-Status-Type [40] 6 Stop [2]*Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 25*Aug 23 04:20:16.519: RADIUS: cisco-nas-port [2] 19 "FastEthernet0/0.1"*Aug 23 04:20:16.519: RADIUS: NAS-Port [5] 6 0*Aug 23 04:20:16.519: RADIUS: NAS-IP-Address [4] 6 100.1.1.147*Aug 23 04:20:16.519: RADIUS: Acct-Delay-Time [41] 6 0*Aug 23 04:20:16.523: RADIUS: Received from id 21645/19 100.1.1.4:1646, Accounting-response, len 20*Aug 23 04:20:16.523: RADIUS: authenticator F1 CA C1 28 CE A0 26 C9 - 3E 22 C9 DA EA B8 22 A0Accounting Updates
If accounting updates are enabled, accounting updates are sent while a session is "up." The update interval is configurable. To enable the accounting updates, use the aaa accounting update command.
The following is an accounting update record that is being sent from the router:
Router#*Aug 23 21:46:05.263: RADIUS(00000004): Using existing nas_port 0*Aug 23 21:46:05.263: RADIUS(00000004): Config NAS IP: 100.1.1.147*Aug 23 21:46:05.263: RADIUS(00000004): sending*Aug 23 21:46:05.263: RADIUS(00000004): Send Accounting-Request to 100.1.1.4:1646 id 22, len 200*Aug 23 21:46:05.263: RADIUS: authenticator 30 FA 48 86 8E 43 8E 4B - F9 09 71 04 4A F1 52 25*Aug 23 21:46:05.263: RADIUS: Acct-Session-Id [44] 10 "00000003"*Aug 23 21:46:05.263: RADIUS: Vendor, Cisco [26] 20*Aug 23 21:46:05.263: RADIUS: Cisco AVpair [1] 14 "vrf-id=cisco"*Aug 23 21:46:05.263: RADIUS: Vendor, Cisco [26] 35*Aug 23 21:46:05.263: RADIUS: Cisco AVpair [1] 29 "isakmp-initator-ip=11.1.1.2"*Aug 23 21:46:05.263: RADIUS: Vendor, Cisco [26] 36*Aug 23 21:46:05.263: RADIUS: Cisco AVpair [1] 30 "connect-progress=No Progress"*Aug 23 21:46:05.263: RADIUS: Acct-Session-Time [46] 6 109*Aug 23 21:46:05.263: RADIUS: Acct-Input-Octets [42] 6 608*Aug 23 21:46:05.263: RADIUS: Acct-Output-Octets [43] 6 608*Aug 23 21:46:05.263: RADIUS: Acct-Input-Packets [47] 6 4*Aug 23 21:46:05.263: RADIUS: Acct-Output-Packets [48] 6 4*Aug 23 21:46:05.263: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]*Aug 23 21:46:05.263: RADIUS: Vendor, Cisco [26] 25*Aug 23 21:46:05.263: RADIUS: cisco-nas-port [2] 19 "FastEthernet0/0.1"*Aug 23 21:46:05.263: RADIUS: NAS-Port [5] 6 0*Aug 23 21:46:05.263: RADIUS: NAS-IP-Address [4] 6 100.1.1.147*Aug 23 21:46:05.263: RADIUS: Acct-Delay-Time [41] 6 0*Aug 23 21:46:05.267: RADIUS: Received from id 21645/22 100.1.1.4:1646, Accounting-response, len 20*Aug 23 21:46:05.267: RADIUS: authenticator 51 6B BB 27 A4 F5 D7 61 - A7 03 73 D3 0A AC 1CHow to Configure IPSec VPN Accounting
This section contains the following procedures:
•
•
•
Configuring IPSec VPN Accounting
To enable IPSec VPN Accounting, you need to perform the following required task:
Prerequisites
Before configuring IPSec VPN accounting, you must first configure IPSec. To learn about configuring IPSec, refer to the following documents:
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
DETAILED STEPS
Configuring Accounting Updates
To send accounting updates while a session is "up," perform the following optional task:
Prerequisites
Before you configure accounting updates, you must first configure IPSec VPN accounting. See the section "Configuring IPSec VPN Accounting."
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Troubleshooting for IPSec VPN Accounting
To display messages about IPSec accounting events, perform the following optional task:
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuration Examples for IPSec VPN Accounting
•
•
Accounting and ISAKMP-Profile Example
The following example shows a configuration for supporting remote access clients with accounting and ISAKMP profiles:
version 12.2service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname sheep!aaa new-model!!aaa accounting network ipsecaaa start-stop group radiusaaa accounting update periodic 1aaa session-id commonip subnet-zeroip cef!!no ip domain lookupip domain name cisco.comip name-server 172.29.2.133ip name-server 172.29.11.48!!crypto isakmp policy 1authentication pre-sharegroup 2!crypto isakmp policy 10hash md5authentication pre-sharelifetime 200crypto isakmp key cisco address 172.31.100.2crypto iakmp client configuration group cclientkey jegjegjhrgpool addressAcrypto-isakmp profile groupAvrf ciscomatch identity group cclientclient authentication list cisco-clientisakmp authorization list cisco-clientclient configuration address respondaccounting acc!!crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac!crypto dynamic-map remotes 1set peer 172.31.100.2set security-association lifetime seconds 120set transform-set esp-des-md5reverse-route!crypto map test 10 ipsec-isakmp dynamic remotes!voice call carrier capacity active!interface Loopback0ip address 10.20.20.20 255.255.255.0no ip route-cacheno ip mroute-cache!interface FastEthernet0/0ip address 10.2.80.203 255.255.255.0no ip mroute-cacheload-interval 30duplex full!interface FastEthernet1/0ip address 192.168.219.2 255.255.255.0no ip mroute-cacheduplex autospeed auto!interface FastEthernet1/1ip address 172.28.100.1 255.255.255.0no ip mroute-cacheduplex autospeed autocrypto map test!no fair-queueip default-gateway 10.2.80.1ip classlessip route 10.0.0.0 0.0.0.0 10.2.80.1ip route 10.20.0.0 255.0.0.0 10.2.80.56ip route 10.10.10.0 255.255.255.0 172.31.100.2ip route 10.0.0.2 255.255.255.255 10.2.80.73ip local pool addressA 192.168.1.1 192.168.1.253no ip http serverip pim bidir-enable!!ip access-list extended encryptpermit ip host 10.0.0.1 host 10.5.0.1!access-list 101 permit ip host 10.20.20.20 host 10.10.10.10!!radius-server host 172.27.162.206 auth-port 1645 acct-port 1646 key cisco123radius-server retransmit 3radius-server authorization permit missing Service-Typeradius-server vsa send accountingcall rsvp-sync!!mgcp profile default!dial-peer cor custom!!gatekeepershutdown!!line con 0exec-timeout 0 0exec prompt timestampline aux 0line vty 5 15ntp server 172.31.150.52endAccounting Without ISAKMP Profiles Example
The following example shows a full Cisco IOS configuration that supports accounting remote access peers when ISAKMP profiles are not used:
version 12.2service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname sheep!aaa new-model!!aaa accounting network ipsecaaa start-stop group radiusaaa accounting update periodic 1aaa session-id commonip subnet-zeroip cef!!no ip domain lookupip domain name cisco.comip name-server 172.29.2.133ip name-server 172.29.11.48!!crypto isakmp policy 1authentication pre-sharegroup 2!crypto isakmp policy 10hash md5authentication pre-sharelifetime 200crypto isakmp key cisco address 172.31.100.2!!crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac!crypto map test client accounting list ipsecaaacrypto map test 10 ipsec-isakmpset peer 172.31.100.2set security-association lifetime seconds 120set transform-set esp-des-md5match address 101!voice call carrier capacity active!interface Loopback0ip address 10.20.20.20 255.255.255.0no ip route-cacheno ip mroute-cache!interface FastEthernet0/0ip address 10.2.80.203 255.255.255.0no ip mroute-cacheload-interval 30duplex full!interface FastEthernet1/0ip address 192.168.219.2 255.255.255.0no ip mroute-cacheduplex autospeed auto!interface FastEthernet1/1ip address 172.28.100.1 255.255.255.0no ip mroute-cacheduplex autospeed autocrypto map test!no fair-queueip default-gateway 10.2.80.1ip classlessip route 10.0.0.0 0.0.0.0 10.2.80.1ip route 10.30.0.0 255.0.0.0 10.2.80.56ip route 10.10.10.0 255.255.255.0 172.31.100.2ip route 10.0.0.2 255.255.255.255 10.2.80.73no ip http serverip pim bidir-enable!!ip access-list extended encryptpermit ip host 10.0.0.1 host 10.5.0.1!access-list 101 permit ip host 10.20.20.20 host 10.10.10.10!!radius-server host 172.27.162.206 auth-port 1645 acct-port 1646 key cisco123radius-server retransmit 3radius-server authorization permit missing Service-Typeradius-server vsa send accountingcall rsvp-sync!!mgcp profile default!dial-peer cor custom!!gatekeepershutdown!!line con 0exec-timeout 0 0exec prompt timestampline aux 0line vty 5 15!exception core-file ioscrypto/core/sheep-coreexception dump 172.25.1.129ntp clock-period 17208229ntp server 172.71.150.52!endAdditional References
For additional information related to IPSec VPN accounting, refer to the following references:
Related Documents
Configuring AAA accounting
•
Configuring IPSec VPN accounting
•
Configuring basic AAA RADIUS
•
•
•
Configuring ISAKMP profiles
VRF-Aware IPSec, Cisco IOS Release 12.2(15)T feature module
Privilege levels with TACACS+ and RADIUS
IP security, RADIUS, and AAA commands
Cisco IOS Security Command Reference, Release 12.2 T
Standards
MIBs
None
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
Technical Assistance
Command Reference
This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 T command reference publications.
New Commands
•
•
•
•
•
•
•
Modified Commands
•
•
client authentication list
To configure Internet Key Exchange (IKE) extended authentication (XAUTH) in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the client authentication list command in isakmp profile configuration mode. To restore the default behavior, which is that XAUTH is not enabled, use the no form of this command.
client authentication list list-name
no client authentication list list-name
Syntax Description
Defaults
No default behaviors or values
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
Before configuring XAUTH, you must set up an authentication list using AAA commands.
Examples
The following example shows that user authentication is configured. User authentication is a list of authentication methods called "xauthlist" in an ISAKMP profile called "vpnprofile."
crypto isakmp profile vpnprofileclient authentication list xauthlistRelated Commands
client configuration address
To configure Internet Key Exchange (IKE) configuration mode in the Internet Security Association and Key Management Protocol (ISAKMP) profile, use the client configuration address command in isakmp profile configuration mode. To disable IKE configuraton mode, use the no form of this command.
client configuration address {initiate | respond}
no client configuration address {initiate | respond}
Syntax Description
initiate
Router will attempt to set IP addresses for each peer.
respond
Router will accept requests for IP addresses from any requesting peer.
Defaults
IKE configuration is not enabled.
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
Before you can use this command, you must enter the crypto isakmp profile command.
Examples
The following example shows that IKE mode is configured to either initiate or respond in an ISAKMP profile called "vpnprofile":
crypto isakmp profile vpnprofileclient configuration address initiateclient configuration address respondRelated Commands
crypto isakmp profile
To define an Internet Security Association and Key Management Protocol (ISAKMP) profile and to audit IP Security (IPSec) user sessions, use the crypto isakmp profile command in global configuration mode. To delete a crypto ISAKMP profile, use the no form of this command.
crypto isakmp profile profile-name [accounting aaalist]
no crypto isakmp profile profile-name [accounting aaalist]
Syntax Description
profile-name
Name of the user profile. To associate a user profile with the RADIUS server, the user profile name must be identified.
accounting aaalist
(Optional) Name of a client accounting list.
Defaults
No default behaviors or values
Command Modes
Global configuration
Command History
Usage Guidelines
Defining an ISAKMP Profile
An ISAKMP profile can be viewed as a repository of Phase 1 and Phase 1.5 commands for a set of peers. The Phase 1 configuration includes commands to configure such things as keepalive, identity matching, and the authorization list. The Phase 1.5 configuration includes commands to configure such things as extended authentication (XAUTH) and mode configuration.
The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the Internet Key Exchange [IKE]) against the identities defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid. Also, there must be at least one match identity command defined in the ISAKMP profile for it to be complete.
Auditing IPSec User Sessions
Use this command to audit multiple user sessions that are terminating on the IPSec gateway.
Note
Examples
The following example shows how to define an ISAKMP profile and match the peer identities:
crypto isakmp profile vpnprofilematch identity address 10.76.11.53The following accounting example shows that an ISAKMP profile is configured:
aaa new-model!!aaa authentication login cisco-client group radiusaaa authorization network cisco-client group radiusaaa accounting network acc start-stop broadcast group radiusaaa session-id common!crypto isakmp profile ciscovrf ciscomatch identity group cclientclient authentication list cisco-clientisakmp authorization list cisco-clientclient configuration address respondaccounting acc!crypto dynamic-map dynamic 1set transform-set aswanset isakmp-profile ciscoreverse-route!!radius-server host 172.1.1.4 auth-port 1645 acct-port 1646radius-server key nsiteRelated Commands
crypto map (global IPSec)
To enter crypto map configuration mode and create or modify a crypto map entry, to create a crypto profile that provides a template for configuration of dynamically created crypto maps, or to configure a client accounting list, use the crypto map command in global configuration mode. To delete a crypto map entry, profile, or set, use the no form of this command.
crypto map map-name seq-num [ipsec-manual]
crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]
crypto map map-name [client-accounting-list aaalist]
no crypto map map-name seq-num
Note
Syntax Description
Defaults
No crypto maps exist.
Peer discovery is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to create a new crypto map entry, to create a crypto map profile, or to modify an existing crypto map entry or profile.
After a crypto map entry has been created, you cannot change the parameters specified at the global configuration level because these parameters determine which of the configuration commands are valid at the crypto map level. For example, after a map entry has been created using the ipsec-isakmp keyword, you cannot change it to the option specified by the ipsec-manual keyword; you must delete and reenter the map entry.
After you define crypto map entries, you can assign the crypto map set to interfaces using the crypto map (interface IPSec) command.
Crypto Map Functions
Crypto maps provide two functions: filtering and classifying traffic to be protected and defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic.
IPSec crypto maps define the following:
•
•
•
•
Multiple Crypto Map Entries with the Same Map Name Form a Crypto Map Set
A crypto map set is a collection of crypto map entries, each with a different seq-num argument but the same map-name argument. Therefore, for a given interface, you could have certain traffic forwarded to one IPSec peer with specified security applied to that traffic and other traffic forwarded to the same or a different IPSec peer with different IPSec security applied. To accomplish differential forwarding you would create two crypto maps, each with the same map-name argument, but each with a different seq-num argument. Crypto profiles must have unique names within a crypto map set.
Sequence Numbers
The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.
For example, consider a crypto map set that contains three crypto map entries: mymap 10, mymap 20, and mymap 30. The crypto map set named "mymap" is applied to serial interface 0. When traffic passes through serial interface 0, the traffic is evaluated first for mymap 10. If the traffic matches any access list permit statement entry in the extended access list in mymap 10, the traffic will be processed according to the information defined in mymap 10 (including establishing IPSec SAs when necessary). If the traffic does not match the mymap 10 access list, the traffic will be evaluated for mymap 20, and then mymap 30, until the traffic matches a permit entry in a map entry. (If the traffic does not match a permit entry in any crypto map entry, it will be forwarded without any IPSec security.)
Dynamic Crypto Maps
Refer to the "Usage Guidelines" section of the crypto dynamic-map command for a discussion on dynamic crypto maps.
Crypto map entries that reference dynamic map sets should be the lowest priority map entries, allowing inbound SA negotiation requests to try to match the static maps first. Only after the request does not match any of the static maps, do you want it to be evaluated against the dynamic map set.
To make a crypto map entry referencing a dynamic crypto map set the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set.
Create dynamic crypto map entries using the crypto dynamic-map command. After you create a dynamic crypto map set, add the dynamic crypto map set to a static crypto map set with the crypto map (global IPSec) command using the dynamic keyword.
TED
TED is an enhancement to the IPSec feature. Defining a dynamic crypto map allows you to dynamically determine an IPSec peer; however, only the receiving router has this ability. With TED, the initiating router can dynamically determine an IPSec peer for secure IPSec communications.
Dynamic TED helps to simplify IPSec configuration on the individual routers within a large network. Each node has a simple configuration that defines the local network that the router is protecting and the IPSec transforms that are required.
Note
Crypto Map Profiles
Crypto map profiles are created using the profile profile-name keyword and argument combination. Crypto map profiles are used as configuration templates for dynamically creating crypto maps on demand for use with the Layer 2 Transport Protocol (L2TP) Security feature. The relevant SAs the crypto map profile will be cloned and used to protect IP traffic on the L2TP tunnel.
Note
Examples
The following example shows the minimum required crypto map configuration when IKE will be used to establish the SAs:
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1The following example shows the minimum required crypto map configuration when the SAs are manually established:
crypto transform-set someset ah-md5-hmac esp-descrypto map mymap 10 ipsec-manualmatch address 102set transform-set somesetset peer 10.0.0.5set session-key inbound ah 256 98765432109876549876543210987654set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedcset session-key inbound esp 256 cipher 0123456789012345set session-key outbound esp 256 cipher abcdefabcdefabcdThe following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set.
Crypto map "mymap 10" allows SAs to be established between the router and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the remote peer for traffic matching access list 102.
Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound SA negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap," for a flow permitted by the access list 103, IPSec will accept the request and set up SAs with the remote peer without previously knowing about the remote peer. If the request is accepted, the resulting SAs (and temporary crypto map entry) are established according to the settings specified by the remote peer.
The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match any access list permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec SA are also dropped.
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1set peer 10.0.0.2crypto map mymap 20 ipsec-isakmpmatch address 102set transform-set my_t_set1 my_t_set2set peer 10.0.0.3crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap!crypto dynamic-map mydynamicmap 10match address 103set transform-set my_t_set1 my_t_set2 my_t_set3The following example configures TED on a Cisco router:
crypto map testtag 10 ipsec-isakmp dynamic dmap discoverThe following example configures a crypto profile to be used as a template for dynamically created crypto maps when IPSec is used to protect an L2TP tunnel:
crypto map l2tpsec 10 ipsec-isakmp profile l2tp
Related Commands*
debug crypto isakmp
To display messages about Internet Key Exchange (IKE) events, use the debug crypto isakmp command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug crypto isakmp aaa
no debug crypto isakmp aaa
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output from the debug crypto isakmp command for an IKE peer that initiates an IKE negotiation.
First, IKE negotiates its own security association (SA), checking for a matching IKE policy.
Router# debug crypto isakmp20:26:58: ISAKMP (8): beginning Main Mode exchange20:26:58: ISAKMP (8): processing SA payload. message ID = 020:26:58: ISAKMP (8): Checking ISAKMP transform 1 against priority 10 policy20:26:58: ISAKMP: encryption DES-CBC20:26:58: ISAKMP: hash SHA20:26:58: ISAKMP: default group 120:26:58: ISAKMP: auth pre-share20:26:58: ISAKMP (8): atts are acceptable. Next payload is 0IKE has found a matching policy. Next, the IKE SA is used by each peer to authenticate the other peer.
20:26:58: ISAKMP (8): SA is doing pre-shared key authentication20:26:59: ISAKMP (8): processing KE payload. message ID = 020:26:59: ISAKMP (8): processing NONCE payload. message ID = 020:26:59: ISAKMP (8): SKEYID state generated20:26:59: ISAKMP (8): processing ID payload. message ID = 020:26:59: ISAKMP (8): processing HASH payload. message ID = 020:26:59: ISAKMP (8): SA has been authenticatedNext, IKE negotiates to set up the IP Security (IPSec) SA by searching for a matching transform set.
20:26:59: ISAKMP (8): beginning Quick Mode exchange, M-ID of 76716284520:26:59: ISAKMP (8): processing SA payload. message ID = 76716284520:26:59: ISAKMP (8): Checking IPSec proposal 120:26:59: ISAKMP: transform 1, ESP_DES20:26:59: ISAKMP: attributes in transform:20:26:59: ISAKMP: encaps is 120:26:59: ISAKMP: SA life type in seconds20:26:59: ISAKMP: SA life duration (basic) of 60020:26:59: ISAKMP: SA life type in kilobytes20:26:59: ISAKMP: SA life duration (VPI) of0x0 0x46 0x50 0x020:26:59: ISAKMP: authenticator is HMAC-MD520:26:59: ISAKMP (8): atts are acceptable.A matching IPSec transform set has been found at the two peers. Now the IPSec SA can be created (one SA is created for each direction).
20:26:59: ISAKMP (8): processing NONCE payload. message ID = 76716284520:26:59: ISAKMP (8): processing ID payload. message ID = 76716284520:26:59: ISAKMP (8): processing ID payload. message ID = 76716284520:26:59: ISAKMP (8): Creating IPSec SAs20:26:59: inbound SA from 155.0.0.2 to 155.0.0.1 (proxy 155.0.0.2 to 155.0.0.1 )20:26:59: has spi 454886490 and conn_id 9 and flags 420:26:59: lifetime of 600 seconds20:26:59: lifetime of 4608000 kilobytes20:26:59: outbound SA from 155.0.0.1 to 155.0.0.2 (proxy 155.0.0.1 to 155.0.0.2 )20:26:59: has spi 75506225 and conn_id 10 and flags 420:26:59: lifetime of 600 seconds20:26:59: lifetime of 4608000 kilobytesThe following is sample output from the debug crypto isakmp command using the aaa keyword:
Router# debug crypto isakmp aaaStart Example01:38:55: ISAKMP AAA: Sent Accounting Message01:38:55: ISAKMP AAA: Accounting message sucessful01:38:55: ISAKMP AAA: Rx Accounting Message01:38:55: ISAKMP AAA: Adding Client Attributes to Accounting Record01:38:55: ISAKMP AAA: Accounting StartedUpdate Example01:09:55: ISAKMP AAA: Accounting received kei with flags 0x104201:09:55: ISAKMP AAA: Updating Stats01:09:55: Previous in acc (PKTS) IN: 10 OUT: 1001:09:55: Traffic on sa (PKTS) IN: 176 OUT: 176Related Commands
isakmp authorization list
To configure an Internet Key Exchange (IKE) shared secret using the authentication, authorization, and accounting (AAA) server in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the isakmp authorization list command in isakmp profile configuration mode. To disable the shared secret, use the no form of this command.
isakmp authorization list list-name
no isakmp authorization list list-name
Syntax Description
list-name
AAA authorization list used for configuration mode attributes or preshared keys for aggresive mode.
Defaults
No default behaviors or values
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
This command allows you to retrieve a shared secret from an AAA server.
Examples
The following example shows that an IKE shared secret is configured using an AAA server on a router:
crypto isakmp profile vpnprofileisakmp authorization list ikessaaalistRelated Commands
match identity
To match an identity from a peer in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the match identity command in isakmp profile configuration mode. To remove the identity, use the no form of this command.
match identity {group group-name | address address [mask] [fvrf] | host host-name | host domain domain-name | user user-fqdn | user domain domain-name}
no match identity {group group-name | address address [mask] [fvrf] | host host-name | host domain domain-name | user user-fqdn | user domain domain-name}
Syntax Description
Defaults
No default behavior or values
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
There must be at least one match identity command in an ISAKMP profile configuration. The peers are mapped to an ISAKMP profile when their identities are matched (as given in the ID payload of the Internet Key Exchange [IKE] exchange) against the identities that are defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid.
Examples
The following example shows that the match identity command is configured:
crypto isakmp profile vpnprofilematch identity group vpngroupmatch identity address 10.53.11.1match identity host domain vpn.commatch identity host server.vpn.comset isakmp-profile
To set the Internet Security Association and Key Management Protocol (ISAKMP) profile name, use the set isakmp-profile command in crypto map configuration mode. To remove the ISAKMP profile name, use the no form of this command.
set isakmp-profile profile-name
no set isakmp-profile profile-name
Syntax Description
Defaults
If the ISAKMP profile is not specified in the crypto map entry, the default is to the ISAKMP profile that is on the head. If there is no ISAKMP profile on the head, the default is "none."
Command Modes
Crypto map configuration
Command History
Usage Guidelines
This command describes the ISAKMP profile to use when you start the Internet Key Exchange (IKE) exchange.
Before configuring an ISAKMP profile on a crypto map, you should set up the ISAKMP profile.
Examples
The following example shows that an ISAKMP profile has been configured on a crypto map:
crypto map vpnmap 10 ipsec-isakmpset isakmp-profile vpnprofileRelated Commands
vrf
To define the virtual routing and forwarding (VRF) value to which the IP Security (IPSec) tunnel will be mapped, use the vrf command in isakmp profile configuration mode. To disable the VRF that was defined, use the no form of this command.
vrf ivrf
no vrf ivrf
Syntax Description
Defaults
The VRF will be the same as the front door VRF (FVRF).
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
Use this command to map IPSec tunnels that terminate on a global interface to a specific Virtual Private Network (VPN).
If traffic from the router to a certification authority (CA) (for authentication, enrollment, or for obtaining a certificate revocation list [CRL]) or to a Lightweight Directory Access Protocol (LDAP) server (for obtaining a CRL) needs to be routed via a VRF, the vrf command must be added to the trustpoint. Otherwise, such traffic will use the default routing table.
If a profile does not specify one or more trustpoints, all trustpoints in the router will be used to attempt to validate the certificate of the peer (Internet Key Exchange [IKE] main mode or signature authentication). If one or more trustpoints are specified, only those trustpoints will be used.
Examples
The following example shows that two IPSec tunnels to VPN 1 and VPN 2 are terminated:
crypto isakmp profile vpn1vrf vpn1keyring vpn1match identity address 172.16.1.1 255.255.255.255crypto isakmp profile vpn2vrf vpn2keyring vpn2match identity address 10.1.1.1 255.255.255.255crypto ipsec transform-set vpn1 esp-3des esp-sha-hmaccrypto ipsec transform-set vpn2 esp-3des esp-md5-hmac!crypto map crypmap 1 ipsec-isakmpset peer 172.16.1.1set transform-set vpn1set isakmp-profile vpn1match address 101crypto map crypmap 3 ipsec-isakmpset peer 10.1.1.1set transform-set vpn2set isakmp-profile vpn2match address 102!!interface Ethernet1/2ip address 172.26.1.1 255.255.255.0duplex halfno keepaliveno cdp enablecrypto map crypmap!Glossary
IKE—Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for services (such as IP security [IPSec]) that require keys. Before any IPSec traffic can be passed, each router, firewall, and host must verify the identity of its peer. This can be done by manually entering preshared keys into both hosts or by a certification authority (CA) service.
IPSec—IP security. IPSec is A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE to handle the negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
ISAKMP—Internet Security Association and Key Management Protocol. ISAKMP is an Internet IPSec protocol (RFC 2408) that negotiates, establishes, modifies, and deletes security associations. It also exchanges key generation and authentication data (independent of the details of any specific key generation technique), key establishment protocol, encryption algorithm, or authentication mechanism.
L2TP session—Layer 2 Transport Protocol. L2TP are communications transactions between the L2TP access concentrator (LAC) and the L2TP network server (LNS) that support tunneling of a single PPP connection. There is a one-to-one relationship among the PPP connection, L2TP session, and L2TP call.
NAS—network access server. A NAS is a Cisco platform (or collection of platforms, such as an AccessPath system) that interfaces between the packet world (for example, the Internet) and the circuit world (for example, the public switched telephone network [PSTN]).
PFS—perfect forward secrecy. PFS is a cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys.
QM—Queue Manager. The Cisco IP Queue Manager (IP QM) is an intelligent, IP-based, call-treatment and routing solution that provides powerful call-treatment options as part of the Cisco IP Contact Center (IPCC) solution.
RADIUS—Remote Authentication Dial-In User Service. RADIUS is a database for authenticating modem and ISDN connections and for tracking connection time.
RSA—Rivest, Shamir, and Adelman. Rivest, Shamir, and Adelman are the inventors of the Public-key cryptographic system that can be used for encryption and authentication.
SA—security association. A SA is an instance of security policy and keying material that is applied to a data flow.
TACACS+—Terminal Access Controller Access Control System Plus. TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server.
TED—Tunnel Endpoint Discovery. TED is a Cisco IOS software feature that allows routers to discover IPSec endpoints.
VPN—Virtual Private Network. A VPN enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses "tunneling" to encrypt all information at the IP level.
VRF—A VPN routing/forwarding instance. A VRF consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine what goes into the forwarding table. In general, a VRF includes the routing information that defines a customer VPN site that is attached to a PE router.
VSA—vendor-specific attribute. A VSA is an attribute that has been implemented by a particular vendor. It uses the attribute Vendor-Specific to encapsulate the resulting AV pair: essentially, Vendor-Specific = protocol:attribute = value.
XAUTH—Extended authentication. XAUTH is an optional exchange between IKE Phase 1 and IKE Phase 2, in which the router demands additional authentication information in an attempt to authenticate the actual user (as opposed to authenticating the peer).
Note
