Contents

IPsec VPN Accounting

The IPsec VPN Accounting feature allows for a session to be accounted for by indicating when the session starts and when it stops.

A VPN session is defined as an Internet Key Exchange (IKE) security association (SA) and the one or more SA pairs that are created by the IKE SA. The session starts when the first IP Security (IPsec) pair is created and stops when all IPsec SAs are deleted.

Session identifying information and session usage information is passed to the Remote Authentication Dial-In User Service (RADIUS) server through standard RADIUS attributes and vendor-specific attributes (VSAs).

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for IPsec VPN Accounting

  • Understand how to configure RADIUS and authentication, authorization, and accounting (AAA) accounting.

  • Understand how to configure IPsec accounting.

Information About IPsec VPN Accounting

RADIUS Accounting

For many large networks, it is required that user activity be recorded for auditing purposes. The method that is used most is RADIUS accounting.

RADIUS accounting allows for a session to be accounted for by indicating when the session starts and when it stops. Additionally, session identifying information and session usage information is passed to the RADIUS server through RADIUS attributes and VSAs.

RADIUS Start Accounting

The RADIUS Start packet contains many attributes that generally identify who is requesting the service and of what the property of that service consists. The table below represents the attributes required for the start.

Table 1 RADIUS Accounting Start Packet Attributes

RADIUS Attributes

Value

Attribute

Description

1

user-name

Username used in extended authentication (XAUTH).The username may be NULL when XAUTH is not used.

4

nas-ip-address

Identifying IP address of the network access server (NAS) that serves the user. It should be unique to the NAS within the scope of the RADIUS server.

5

nas-port

Physical port number of the NAS that serves the user.

8

framed-ip-address

Private address allocated for the IP Security (IPsec) session.

40

acct-status-type

Status type. This attribute indicates whether this accounting request marks the beginning (start), the end (stop), or an update of the session.

41

acct-delay-time

Number of seconds the client has been trying to send a particular record.

44

acct-session-id

Unique accounting identifier that makes it easy to match start and stop records in a log file.

26

vrf-id

String that represents the name of the Virtual Route Forwarder (VRF).

26

isakmp-initiator-ip

Endpoint IP address of the remote Internet Key Exchange (IKE) initiator (V4).

26

isakmp-group-id

Name of the VPN group profile used for accounting.

26

isakmp-phase1-id

Phase 1 identification (ID) used by IKE (for example, domain name [DN], fully qualified domain name [FQDN], IP address) to help identify the session initiator.

RADIUS Stop Accounting

The RADIUS Stop packet contains many attributes that identify the usage of the session. Table 2 represents the additional attributes required for the RADIUS stop packet. It is possible that only the stop packet is sent without the start if configured to do so. If only the stop packet is sent, this allows an easy way to reduce the number of records going to the AAA server.

Table 2 RADIUS Accounting Stop Packet Attributes

RADIUS Attributes

Value

Attribute

Description

42

acct-input-octets

Number of octets that have been received from the Unity client over the course of the service that is being provided.

43

acct-output-octets

Number of octets that have been sent to the Unity client in the course of delivering this service.

46

acct-session-time

Length of time (in seconds) that the Unity client has received service.

47

acct-input-packets

Quantity of packets that have been received from the Unity client in the course of delivering this service.

48

acct-output-packets

Quantity of packets that have been sent to the Unity client in the course of delivering this service.

49

acct-terminate-cause

For future use.

52

acct-input-gigawords

How many times the Acct-Input-Octets counter has wrapped around the 232 (2 to the 32nd power) over the course of this service.

52

acct-output-gigawords

How many times the Acct-Input-Octets counter has wrapped around the 232 (2 to the 32nd power) over the course of this service.

RADIUS Update Accounting

RADIUS accounting updates are supported. Packet and octet counts are shown in the updates.

IKE and IPsec Subsystem Interaction

Accounting Start

If IPsec accounting is configured, after IKE phases are complete, an accounting start record is generated for the session. New accounting records are not generated during a rekeying.

The following is an account start record that was generated on a router and that is to be sent to the AAA server that is defined:

*Aug 23 04:06:20.131: RADIUS(00000002): sending
*Aug 23 04:06:20.131: RADIUS(00000002): Send Accounting-Request to 10.1.1.4:1646 id 4, len 220
*Aug 23 04:06:20.131: RADIUS:  authenticator 38 F5 EB 46 4D BE 4A 6F - 45 EB EF 7D B7 19 FB 3F
*Aug 23 04:06:20.135: RADIUS:  Acct-Session-Id     [44]  10  "00000001"
*Aug 23 04:06:20.135: RADIUS:  Vendor, Cisco       [26]  31  
*Aug 23 04:06:20.135: RADIUS:   Cisco AVpair       [1]   25  "isakmp-group-id=cclient"
*Aug 23 04:06:20.135: RADIUS:  Framed-IP-Address   [8]   6   10.13.13.1                
*Aug 23 04:06:20.135: RADIUS:  Vendor, Cisco       [26]  20  
*Aug 23 04:06:20.135: RADIUS:   Cisco AVpair       [1]   14  "vrf-id=cisco"
*Aug 23 04:06:20.135: RADIUS:  Vendor, Cisco       [26]  35  
*Aug 23 04:06:20.135: RADIUS:   Cisco AVpair       [1]   29  "isakmp-initator-ip=10.1.2.2"
*Aug 23 04:06:20.135: RADIUS:  Vendor, Cisco       [26]  36  
*Aug 23 04:06:20.135: RADIUS:   Cisco AVpair       [1]   30  "connect-progress=No Progress"
*Aug 23 04:06:20.135: RADIUS:  User-Name           [1]   13  "username1"
*Aug 23 04:06:20.135: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
*Aug 23 04:06:20.135: RADIUS:  Vendor, Cisco       [26]  25  
*Aug 23 04:06:20.135: RADIUS:   cisco-nas-port     [2]   19  "FastEthernet0/0.1"
*Aug 23 04:06:20.135: RADIUS:  NAS-Port            [5]   6   0                         
*Aug 23 04:06:20.135: RADIUS:  NAS-IP-Address      [4]   6   10.1.1.147               
*Aug 23 04:06:20.135: RADIUS:  Acct-Delay-Time     [41]  6   0                         
*Aug 23 04:06:20.139: RADIUS: Received from id 21645/4 10.1.1.4:1646, Accounting-response, len 20
*Aug 23 04:06:20.139: RADIUS:  authenticator B7 E3 D0 F5 61 9A 89 D8 - 99 A6 8A 8A 98 79 9D 5D

Accounting Stop

An accounting stop packet is generated when there are no more flows (IPsec SA pairs) with the remote peer.

The accounting stop records contain the following information:

  • Packets out

  • Packets in

  • Octets out

  • Gigawords in

  • Gigawords out

Below is an account start record that was generated on a router. The account start record is to be sent to the AAA server that is defined.

*Aug 23 04:20:16.519: RADIUS(00000003): Using existing nas_port 0
*Aug 23 04:20:16.519: RADIUS(00000003): Config NAS IP: 100.1.1.147
*Aug 23 04:20:16.519: RADIUS(00000003): sending
*Aug 23 04:20:16.519: RADIUS(00000003): Send Accounting-Request to 100.1.1.4:1646 id 19, len 238
*Aug 23 04:20:16.519: RADIUS:  authenticator 82 65 5B 42 F0 3F 17 C3 - 23 F3 4C 35 A2 8A 3E E6
*Aug 23 04:20:16.519: RADIUS:  Acct-Session-Id     [44]  10  "00000002"
*Aug 23 04:20:16.519: RADIUS:  Vendor, Cisco       [26]  20  
*Aug 23 04:20:16.519: RADIUS:   Cisco AVpair       [1]   14  "vrf-id=cisco"
*Aug 23 04:20:16.519: RADIUS:  Vendor, Cisco       [26]  35  
*Aug 23 04:20:16.519: RADIUS:   Cisco AVpair       [1]   29  "isakmp-initator-ip=10.1.1.2"
*Aug 23 04:20:16.519: RADIUS:  Vendor, Cisco       [26]  36  
*Aug 23 04:20:16.519: RADIUS:   Cisco AVpair       [1]   30  "connect-progress=No Progress"
*Aug 23 04:20:16.519: RADIUS:  Acct-Session-Time   [46]  6   709                       
*Aug 23 04:20:16.519: RADIUS:  Acct-Input-Octets   [42]  6   152608                    
*Aug 23 04:20:16.519: RADIUS:  Acct-Output-Octets  [43]  6   152608                    
*Aug 23 04:20:16.519: RADIUS:  Acct-Input-Packets  [47]  6   1004                      
*Aug 23 04:20:16.519: RADIUS:  Acct-Output-Packets [48]  6   1004  
*Apr 23 04:20:16.519: RADIUS:  Acct-Input-Giga-Word[52]  6   0                         
*Apr 23 04:20:16.519: RADIUS:  Acct-Output-Giga-Wor[53]  6   0                                             
*Aug 23 04:20:16.519: RADIUS:  Acct-Terminate-Cause[49]  6   none                      [0]
*Aug 23 04:20:16.519: RADIUS:  Vendor, Cisco       [26]  32  
*Aug 23 04:20:16.519: RADIUS:   Cisco AVpair       [1]   26  "disc-cause-ext=No Reason"
*Aug 23 04:20:16.519: RADIUS:  Acct-Status-Type    [40]  6   Stop                      [2]
*Aug 23 04:20:16.519: RADIUS:  Vendor, Cisco       [26]  25  
*Aug 23 04:20:16.519: RADIUS:   cisco-nas-port     [2]   19  "FastEthernet0/0.1"
*Aug 23 04:20:16.519: RADIUS:  NAS-Port            [5]   6   0                         
*Aug 23 04:20:16.519: RADIUS:  NAS-IP-Address      [4]   6   100.1.1.147               
*Aug 23 04:20:16.519: RADIUS:  Acct-Delay-Time     [41]  6   0                         
*Aug 23 04:20:16.523: RADIUS: Received from id 21645/19 100.1.1.4:1646, Accounting-response, len 20
*Aug 23 04:20:16.523: RADIUS:  authenticator F1 CA C1 28 CE A0 26 C9 - 3E 22 C9 DA EA B8 22 A0

Accounting Updates

If accounting updates are enabled, accounting updates are sent while a session is “up.” The update interval is configurable. To enable the accounting updates, use the aaa accounting update command.

The following is an accounting update record that is being sent from the router:

Router#
*Aug 23 21:46:05.263: RADIUS(00000004): Using existing nas_port 0
*Aug 23 21:46:05.263: RADIUS(00000004): Config NAS IP: 100.1.1.147
*Aug 23 21:46:05.263: RADIUS(00000004): sending
*Aug 23 21:46:05.263: RADIUS(00000004): Send Accounting-Request to 100.1.1.4:1646 id 22, len 200
*Aug 23 21:46:05.263: RADIUS:  authenticator 30 FA 48 86 8E 43 8E 4B - F9 09 71 04 4A F1 52 25
*Aug 23 21:46:05.263: RADIUS:  Acct-Session-Id     [44]  10  "00000003"
*Aug 23 21:46:05.263: RADIUS:  Vendor, Cisco       [26]  20  
*Aug 23 21:46:05.263: RADIUS:   Cisco AVpair       [1]   14  "vrf-id=cisco"
*Aug 23 21:46:05.263: RADIUS:  Vendor, Cisco       [26]  35  
*Aug 23 21:46:05.263: RADIUS:   Cisco AVpair       [1]   29  "isakmp-initator-ip=10.1.1.2"
*Aug 23 21:46:05.263: RADIUS:  Vendor, Cisco       [26]  36  
*Aug 23 21:46:05.263: RADIUS:   Cisco AVpair       [1]   30  "connect-progress=No Progress"
*Aug 23 21:46:05.263: RADIUS:  Acct-Session-Time   [46]  6   109                       
*Aug 23 21:46:05.263: RADIUS:  Acct-Input-Octets   [42]  6   608                       
*Aug 23 21:46:05.263: RADIUS:  Acct-Output-Octets  [43]  6   608                       
*Aug 23 21:46:05.263: RADIUS:  Acct-Input-Packets  [47]  6   4                         
*Aug 23 21:46:05.263: RADIUS:  Acct-Output-Packets [48]  6   4                         
*Aug 23 21:46:05.263: RADIUS:  Acct-Status-Type    [40]  6   Watchdog                  [3]
*Aug 23 21:46:05.263: RADIUS:  Vendor, Cisco       [26]  25  
*Aug 23 21:46:05.263: RADIUS:   cisco-nas-port     [2]   19  "FastEthernet0/0.1"
*Aug 23 21:46:05.263: RADIUS:  NAS-Port            [5]   6   0                         
*Aug 23 21:46:05.263: RADIUS:  NAS-IP-Address      [4]   6   100.1.1.147               
*Aug 23 21:46:05.263: RADIUS:  Acct-Delay-Time     [41]  6   0                         
*Aug 23 21:46:05.267: RADIUS: Received from id 21645/22 100.1.1.4:1646, Accounting-response, len 20
*Aug 23 21:46:05.267: RADIUS:  authenticator 51 6B BB 27 A4 F5 D7 61 - A7 03 73 D3 0A AC 1C

How to Configure IPsec VPN Accounting

Configuring IPsec VPN Accounting

Before You Begin

IPsec must be configured first before configuring IPsec VPN accounting.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    aaa new-model

    4.    aaa authentication login list-name method

    5.    aaa authorization network list-name method

    6.    aaa accounting network list-name start-stop [broadcast] group group-name

    7.    aaa session-id common

    8.    crypto isakmp profile profile-name

    9.    vrf ivrf

    10.    match identity group group-name

    11.    client authentication list list-name

    12.    isakmp authorization list list-name

    13.    client configuration address [initiate | respond]

    14.    accounting list-name

    15.    exit

    16.    crypto dynamic-map dynamic-map-name dynamic-seq-num

    17.    set transform-set transform-set-name

    18.    set isakmp-profile profile-name

    19.    reverse-route [remote-peer]

    20.    exit

    21.    crypto map map-name ipsec-isakmp dynamic dynamic-template-name

    22.    radius-server host ip-address [auth-port port-number] [acct-port port-number]

    23.    radius-server key string

    24.    radius-server vsa send accounting

    25.    interface type slot / port

    26.    crypto map map-name


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Router> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3 aaa new-model


    Example:
    Router (config)# aaa new-model
     

    Enables periodic interim accounting records to be sent to the accounting server.

     
    Step 4 aaa authentication login list-name method


    Example:
    Router (config)# aaa authentication login cisco-client group radius
     

    Enforces authentication, authorization, and accounting (AAA) authentication for extended authorization (XAUTH) through RADIUS or local.

     
    Step 5 aaa authorization network list-name method


    Example:
    Router (config)# aaa authorization network cisco-client group radius
     

    Sets AAA authorization parameters on the remote client from RADIUS or local.

     
    Step 6 aaa accounting network list-name start-stop [broadcast] group group-name


    Example:
    Router (config)# aaa accounting network acc start-stop broadcast group radius
     

    Enables AAA accounting of requested services for billing or security purposes when RADIUS or TACACS+ is used.

     
    Step 7 aaa session-id common


    Example:
    Router (config)# aaa session-id common
     

    Specifies whether the same session ID is used for each AAA accounting service type within a call or whether a different session ID is assigned to each accounting service type.

     
    Step 8 crypto isakmp profile profile-name


    Example:
    Route (config)# crypto isakmp profile cisco
     

    Audits IP security (IPsec) user sessions and enters isakmp-profile submode.

     
    Step 9 vrf ivrf


    Example:
    Router (conf-isa-prof)# vrf cisco
     

    Associates the on-demand address pool with a Virtual Private Network (VPN) routing and forwarding (VRF) instance name.

     
    Step 10 match identity group group-name


    Example:
    Router(conf-isa-prof)# match identity group cisco
     

    Matches an identity from a peer in an ISAKMP profile.

     
    Step 11 client authentication list list-name


    Example:
    Router(conf-isa-prof)# client authentication list cisco
     

    Configures Internet Key Exchange (IKE) extended authentication (XAUTH) in an Internet Security Association and Key Management Protocol (ISAKMP) profile.

     
    Step 12 isakmp authorization list list-name


    Example:
    Router(conf-isa-prof)# isakmp authorization list cisco-client
     

    Configures an IKE shared secret and other parameters using the AAA server in an ISAKMP profile. The shared secret and other parameters are generally pushed to the remote peer through mode configuration (MODECFG).

     
    Step 13 client configuration address [initiate | respond]


    Example:
    Router(conf-isa-prof)# client configuration address respond
     

    Configures IKE mode configuration (MODECFG) in the ISAKMP profile.

     
    Step 14 accounting list-name


    Example:
    Router(conf-isa-prof)# accounting acc
     

    Enables AAA accounting services for all peers that connect through this ISAKMP profile.

     
    Step 15 exit


    Example:
    Router(conf-isa-prof)# exit
     

    Exits isakmp-profile submode.

     
    Step 16 crypto dynamic-map dynamic-map-name dynamic-seq-num


    Example:
    Router(config)# crypto dynamic-map mymap 10 ipsec-isakmp
     

    Creates a dynamic crypto map template and enters the crypto map configuration command mode.

     
    Step 17 set transform-set transform-set-name


    Example:
    Router(config-crypto-map)# set transform-set aswan
     

    Specifies which transform sets can be used with the crypto map template.

     
    Step 18 set isakmp-profile profile-name


    Example:
    Router(config-crypto-map)# set isakmp-profile cisco
     

    Sets the ISAKMP profile name.

     
    Step 19 reverse-route [remote-peer]


    Example:
    Router(config-crypto-map)# reverse-route
     

    Allows routes (ip addresses) to be injected for destinations behind the VPN remote tunnel endpoint and may include a route to the tunnel endpoint itself (using the remote-peer keyword for the crypto map.

     
    Step 20 exit


    Example:
    Router(config-crypto-map)# exit
     

    Exits dynamic crypto map configuration mode.

     
    Step 21 crypto map map-name ipsec-isakmp dynamic dynamic-template-name


    Example:
    Router(config)# crypto map mymap ipsec-isakmp dynamic dmap
     

    Enters crypto map configuration mode

     
    Step 22 radius-server host ip-address [auth-port port-number] [acct-port port-number]


    Example:
    Router(config)# radius-server host 172.16.1.4
     

    Specifies a RADIUS server host.

     
    Step 23 radius-server key string


    Example:
    Router(config)# radius-server key nsite
     

    Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.

     
    Step 24 radius-server vsa send accounting


    Example:
    Router(config)# radius-server vsa send accounting
     

    Configures the network access server to recognize and use vendor-specific attributes.

     
    Step 25 interface type slot / port


    Example:
    Router(config)# interface FastEthernet 1/0
     

    Configures an interface type and enters interface configuration mode.

     
    Step 26 crypto map map-name


    Example:
    Router(config-if)# crypto map mymap
     

    Applies a previously defined crypto map set to an interface.

     

    Configuring Accounting Updates

    To send accounting updates while a session is “up,” perform the following optional task:

    Before You Begin

    IPsec VPN accounting must be configured before accounting updates are configured. See Configuring IPsec VPN Accounting for more information.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    aaa accounting update periodic number


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Router> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 configure terminal


      Example:
      Router# configure terminal
       

      Enters global configuration mode.

       
      Step 3 aaa accounting update periodic number


      Example:
      Router (config)# aaa accounting update periodic 1-2147483647
       

      (Optional) Enables periodic interim accounting records to be sent to the accounting server.

       

      Troubleshooting for IPsec VPN Accounting

      To display messages about IPsec accounting events, perform the following optional task:

      SUMMARY STEPS

        1.    enable

        2.    debug crypto isakmp aaa


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Router> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.

         
        Step 2 debug crypto isakmp aaa


        Example:
        Router# debug crypto isakmp aaa
         

        Displays messages about Internet Key Exchange (IKE) events.

        • The aaa keyword specifies accounting events.

         

        Configuration Examples for IPsec VPN Accounting

        Accounting and ISAKMP-Profile Example

        The following example shows a configuration for supporting remote access clients with accounting and ISAKMP profiles:

        version 2.1 
        service timestamps debug datetime msec 
        service timestamps log datetime msec 
        no service password-encryption 
        ! 
        hostname sheep 
        ! 
        aaa new-model 
        ! 
        ! 
        aaa accounting network ipsecaaa start-stop group radius 
        aaa accounting update periodic 1 
        aaa session-id common 
        ip subnet-zero 
        ip cef 
        ! 
        ! 
        no ip domain lookup 
        ip domain name cisco.com 
        ip name-server 172.29.2.133 
        ip name-server 172.29.11.48 
        ! 
        ! 
        crypto isakmp policy 1 
        authentication pre-share 
        group 2 
        ! 
        crypto isakmp policy 10 
        hash md5 
        authentication pre-share 
        lifetime 200 
        crypto isakmp key cisco address 172.31.100.2 
        crypto iakmp client configuration group cclient
         key jegjegjhrg
         pool addressA
         
        crypto-isakmp profile groupA
         vrf cisco 
         match identity group cclient 
         client authentication list cisco-client 
         isakmp authorization list cisco-client 
         client configuration address respond 
         accounting acc 
        ! 
        ! 
        crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac 
        !
        crypto dynamic-map remotes 1
        set peer 172.31.100.2 
        set security-association lifetime seconds 120 
        set transform-set esp-des-md5 
        reverse-route
        ! 
        crypto map test 10 ipsec-isakmp dynamic remotes
        ! 
        voice call carrier capacity active 
        ! 
        interface Loopback0 
        ip address 10.20.20.20 255.255.255.0 
        no ip route-cache 
        no ip mroute-cache 
        ! 
        interface FastEthernet0/0 
        ip address 10.2.80.203 255.255.255.0 
        no ip mroute-cache 
        load-interval 30 
        duplex full 
        ! 
        interface FastEthernet1/0 
        ip address 192.168.219.2 255.255.255.0 
        no ip mroute-cache 
        duplex auto 
        speed auto 
        ! 
        interface FastEthernet1/1 
        ip address 172.28.100.1 255.255.255.0 
        no ip mroute-cache 
        duplex auto 
        speed auto 
        crypto map test 
        ! 
        no fair-queue 
        ip default-gateway 10.2.80.1 
        ip classless 
        ip route 10.0.0.0 0.0.0.0 10.2.80.1 
        ip route 10.20.0.0 255.0.0.0 10.2.80.56 
        ip route 10.10.10.0 255.255.255.0 172.31.100.2 
        ip route 10.0.0.2 255.255.255.255 10.2.80.73 
        ip local pool addressA 192.168.1.1 192.168.1.253
        no ip http server 
        ip pim bidir-enable 
        ! 
        ! 
        ip access-list extended encrypt 
        permit ip host 10.0.0.1 host 10.5.0.1 
        ! 
        access-list 101 permit ip host 10.20.20.20 host 10.10.10.10 
        ! 
        ! 
        radius-server host 172.27.162.206 auth-port 1645 acct-port 1646 key cisco123 
        radius-server retransmit 3 
        radius-server authorization permit missing Service-Type 
        radius-server vsa send accounting 
        call rsvp-sync 
        ! 
        ! 
        mgcp profile default 
        ! 
        dial-peer cor custom 
        ! 
        ! 
        gatekeeper 
        shutdown 
        ! 
        ! 
        line con 0 
        exec-timeout 0 0 
        exec prompt timestamp 
        line aux 0 
        line vty 5 15 
         ntp server 172.31.150.52 
        end

        Accounting Without ISAKMP Profiles Example

        The following example shows a full Cisco IOS XE configuration that supports accounting remote access peers when ISAKMP profiles are not used:

        version 2.1
        service timestamps debug datetime msec
        service timestamps log datetime msec
        no service password-encryption
        !
        hostname sheep
        !
        aaa new-model
        !
        !
        aaa accounting network ipsecaaa start-stop group radius
        aaa accounting update periodic 1
        aaa session-id common
        ip subnet-zero
        ip cef
        !
        !
        no ip domain lookup
        ip domain name cisco.com
        ip name-server 172.29.2.133
        ip name-server 172.29.11.48
        !
        !
        crypto isakmp policy 1
         authentication pre-share
         group 2
        !
        crypto isakmp policy 10
         hash md5
         authentication pre-share
         lifetime 200
        crypto isakmp key cisco address 172.31.100.2
        !
        !
        crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac 
        !
        crypto map test client accounting list ipsecaaa
        crypto map test 10 ipsec-isakmp 
         set peer 172.31.100.2
         set security-association lifetime seconds 120
         set transform-set esp-des-md5 
         match address 101
        !
        voice call carrier capacity active
        !
        interface Loopback0
         ip address 10.20.20.20 255.255.255.0
         no ip route-cache
         no ip mroute-cache
        !
        interface FastEthernet0/0
         ip address 10.2.80.203 255.255.255.0
         no ip mroute-cache
         load-interval 30
         duplex full
        !
        interface FastEthernet1/0
         ip address 192.168.219.2 255.255.255.0
         no ip mroute-cache
         duplex auto
         speed auto
        !
        interface FastEthernet1/1
         ip address 172.28.100.1 255.255.255.0
         no ip mroute-cache
         duplex auto
         speed auto
         crypto map test
        !
        no fair-queue
        ip default-gateway 10.2.80.1
        ip classless
        ip route 10.0.0.0 0.0.0.0 10.2.80.1
        ip route 10.30.0.0 255.0.0.0 10.2.80.56
        ip route 10.10.10.0 255.255.255.0 172.31.100.2
        ip route 10.0.0.2 255.255.255.255 10.2.80.73
        no ip http server
        ip pim bidir-enable
        !
        !
        ip access-list extended encrypt
         permit ip host 10.0.0.1 host 10.5.0.1
        !
        access-list 101 permit ip host 10.20.20.20 host 10.10.10.10
        !
        !
        radius-server host 172.27.162.206 auth-port 1645 acct-port 1646 key cisco123
        radius-server retransmit 3
        radius-server authorization permit missing Service-Type
        radius-server vsa send accounting
        call rsvp-sync
        !
        !
        mgcp profile default
        !
        dial-peer cor custom
        !
        !
        gatekeeper
         shutdown
        !
        !
        line con 0
         exec-timeout 0 0
         exec prompt timestamp
        line aux 0
        line vty 5 15
        !
        exception core-file ioscrypto/core/sheep-core
        exception dump 172.25.1.129
        ntp clock-period 17208229
        ntp server 172.71.150.52
        !
        end

        Additional References

        Related Documents

        Related Topic

        Document Title

        Configuring AAA accounting

        “ Configuring Accounting ” module in the Cisco IOS XE Security Configuration Guide: Securing User Services

        Configuring IPsec VPN accounting

        “ Configuring Security for VPNs with IPsec ” module in the Cisco IOS XE Security Configuration Guide: Secure Connectivity

        Configuring basic AAA RADIUS

        “ Configuring RADIUS ” module in the Cisco IOS XE Security Configuration Guide: Securing User Services

        Configuring ISAKMP profiles

        “ VRF-Aware IPsec ” module in the Cisco IOS XE Security Configuration Guide: Secure Connectivity

        Privilege levels with TACACS+ and RADIUS

        • “ Configuring TACACS+ ” module in the Cisco IOS XE Security Configuration Guide: Securing User Services

        • “ Configuring RADIUS ” module in the Cisco IOS XE Security Configuration Guide: Securing User Services

        IP security, RADIUS, and AAA commands

        Cisco IOS Security Command Reference

        Standards

        Standard

        Title

        None.

        --

        MIBs

        MIB

        MIBs Link

        None.

        To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

        http:/​/​www.cisco.com/​go/​mibs

        RFCs

        RFC

        Title

        None.

        Technical Assistance

        Description

        Link

        The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

        To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

        Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

        http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

        Feature Information for IPsec VPN Accounting

        The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

        Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
        Table 3 Feature Information for IPsec VPN Accounting

        Feature Name

        Releases

        Feature Information

        IPsec VPN Accounting

        Cisco IOS XE Release 2.1

        The IPsec VPN Accounting feature allows for a session to be accounted for by indicating when the session starts and when it stops.

        A VPN session is defined as an IKE SA and the one or more SA pairs that are created by the IKE SA. The session starts when the first IPsec pair is created and stops when all IPsec SAs are deleted.

        Session identifying information and session usage information is passed to the RADIUS server through standard RADIUS attributes and VSAs.

        The following commands were introduced or modified: client authentication list, client configuration address, crypto isakmp profile, crypto map (global IPsec), debug crypto isakmp, isakmp authorization list, match identity, set isakmp-profile, vrf.

        Glossary

        IKE --Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for services (such as IP security [IPsec]) that require keys. Before any IPsec traffic can be passed, each router, firewall, and host must verify the identity of its peer. This can be done by manually entering preshared keys into both hosts or by a certification authority (CA) service.

        IPsec --IP security. IPsec is A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPsec provides these security services at the IP layer. IPsec uses IKE to handle the negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPsec. IPsec can protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

        ISAKMP --Internet Security Association and Key Management Protocol. ISAKMP is an Internet IPsec protocol (RFC 2408) that negotiates, establishes, modifies, and deletes security associations. It also exchanges key generation and authentication data (independent of the details of any specific key generation technique), key establishment protocol, encryption algorithm, or authentication mechanism.

        L2TP session --Layer 2 Transport Protocol. L2TP are communications transactions between the L2TP access concentrator (LAC) and the L2TP network server (LNS) that support tunneling of a single PPP connection. There is a one-to-one relationship among the PPP connection, L2TP session, and L2TP call.

        NAS --network access server. A NAS is a Cisco platform (or collection of platforms, such as an AccessPath system) that interfaces between the packet world (for example, the Internet) and the circuit world (for example, the public switched telephone network [PSTN]).

        PFS --perfect forward secrecy. PFS is a cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys.

        QM --Queue Manager. The Cisco IP Queue Manager (IP QM) is an intelligent, IP-based, call-treatment and routing solution that provides powerful call-treatment options as part of the Cisco IP Contact Center (IPCC) solution.

        RADIUS --Remote Authentication Dial-In User Service. RADIUS is a database for authenticating modem and ISDN connections and for tracking connection time.

        RSA --Rivest, Shamir, and Adelman. Rivest, Shamir, and Adelman are the inventors of the Public-key cryptographic system that can be used for encryption and authentication.

        SA --security association. A SA is an instance of security policy and keying material that is applied to a data flow.

        TACACS+ --Terminal Access Controller Access Control System Plus. TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server.

        VPN --Virtual Private Network. A VPN enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses "tunneling" to encrypt all information at the IP level.

        VRF --A VPN routing/forwarding instance. A VRF consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine what goes into the forwarding table. In general, a VRF includes the routing information that defines a customer VPN site that is attached to a PE router.

        VSA --vendor-specific attribute. A VSA is an attribute that has been implemented by a particular vendor. It uses the attribute Vendor-Specific to encapsulate the resulting AV pair: essentially, Vendor-Specific = protocol:attribute = value.

        XAUTH --Extended authentication. XAUTH is an optional exchange between IKE Phase 1 and IKE Phase 2, in which the router demands additional authentication information in an attempt to authenticate the actual user (as opposed to authenticating the peer).


        IPsec VPN Accounting

        IPsec VPN Accounting

        The IPsec VPN Accounting feature allows for a session to be accounted for by indicating when the session starts and when it stops.

        A VPN session is defined as an Internet Key Exchange (IKE) security association (SA) and the one or more SA pairs that are created by the IKE SA. The session starts when the first IP Security (IPsec) pair is created and stops when all IPsec SAs are deleted.

        Session identifying information and session usage information is passed to the Remote Authentication Dial-In User Service (RADIUS) server through standard RADIUS attributes and vendor-specific attributes (VSAs).

        Finding Feature Information

        Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

        Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

        Prerequisites for IPsec VPN Accounting

        • Understand how to configure RADIUS and authentication, authorization, and accounting (AAA) accounting.

        • Understand how to configure IPsec accounting.

        Information About IPsec VPN Accounting

        RADIUS Accounting

        For many large networks, it is required that user activity be recorded for auditing purposes. The method that is used most is RADIUS accounting.

        RADIUS accounting allows for a session to be accounted for by indicating when the session starts and when it stops. Additionally, session identifying information and session usage information is passed to the RADIUS server through RADIUS attributes and VSAs.

        RADIUS Start Accounting

        The RADIUS Start packet contains many attributes that generally identify who is requesting the service and of what the property of that service consists. The table below represents the attributes required for the start.

        Table 1 RADIUS Accounting Start Packet Attributes

        RADIUS Attributes

        Value

        Attribute

        Description

        1

        user-name

        Username used in extended authentication (XAUTH).The username may be NULL when XAUTH is not used.

        4

        nas-ip-address

        Identifying IP address of the network access server (NAS) that serves the user. It should be unique to the NAS within the scope of the RADIUS server.

        5

        nas-port

        Physical port number of the NAS that serves the user.

        8

        framed-ip-address

        Private address allocated for the IP Security (IPsec) session.

        40

        acct-status-type

        Status type. This attribute indicates whether this accounting request marks the beginning (start), the end (stop), or an update of the session.

        41

        acct-delay-time

        Number of seconds the client has been trying to send a particular record.

        44

        acct-session-id

        Unique accounting identifier that makes it easy to match start and stop records in a log file.

        26

        vrf-id

        String that represents the name of the Virtual Route Forwarder (VRF).

        26

        isakmp-initiator-ip

        Endpoint IP address of the remote Internet Key Exchange (IKE) initiator (V4).

        26

        isakmp-group-id

        Name of the VPN group profile used for accounting.

        26

        isakmp-phase1-id

        Phase 1 identification (ID) used by IKE (for example, domain name [DN], fully qualified domain name [FQDN], IP address) to help identify the session initiator.

        RADIUS Stop Accounting

        The RADIUS Stop packet contains many attributes that identify the usage of the session. Table 2 represents the additional attributes required for the RADIUS stop packet. It is possible that only the stop packet is sent without the start if configured to do so. If only the stop packet is sent, this allows an easy way to reduce the number of records going to the AAA server.

        Table 2 RADIUS Accounting Stop Packet Attributes

        RADIUS Attributes

        Value

        Attribute

        Description

        42

        acct-input-octets

        Number of octets that have been received from the Unity client over the course of the service that is being provided.

        43

        acct-output-octets

        Number of octets that have been sent to the Unity client in the course of delivering this service.

        46

        acct-session-time

        Length of time (in seconds) that the Unity client has received service.

        47

        acct-input-packets

        Quantity of packets that have been received from the Unity client in the course of delivering this service.

        48

        acct-output-packets

        Quantity of packets that have been sent to the Unity client in the course of delivering this service.

        49

        acct-terminate-cause

        For future use.

        52

        acct-input-gigawords

        How many times the Acct-Input-Octets counter has wrapped around the 232 (2 to the 32nd power) over the course of this service.

        52

        acct-output-gigawords

        How many times the Acct-Input-Octets counter has wrapped around the 232 (2 to the 32nd power) over the course of this service.

        RADIUS Update Accounting

        RADIUS accounting updates are supported. Packet and octet counts are shown in the updates.

        IKE and IPsec Subsystem Interaction

        Accounting Start

        If IPsec accounting is configured, after IKE phases are complete, an accounting start record is generated for the session. New accounting records are not generated during a rekeying.

        The following is an account start record that was generated on a router and that is to be sent to the AAA server that is defined:

        *Aug 23 04:06:20.131: RADIUS(00000002): sending
        *Aug 23 04:06:20.131: RADIUS(00000002): Send Accounting-Request to 10.1.1.4:1646 id 4, len 220
        *Aug 23 04:06:20.131: RADIUS:  authenticator 38 F5 EB 46 4D BE 4A 6F - 45 EB EF 7D B7 19 FB 3F
        *Aug 23 04:06:20.135: RADIUS:  Acct-Session-Id     [44]  10  "00000001"
        *Aug 23 04:06:20.135: RADIUS:  Vendor, Cisco       [26]  31  
        *Aug 23 04:06:20.135: RADIUS:   Cisco AVpair       [1]   25  "isakmp-group-id=cclient"
        *Aug 23 04:06:20.135: RADIUS:  Framed-IP-Address   [8]   6   10.13.13.1                
        *Aug 23 04:06:20.135: RADIUS:  Vendor, Cisco       [26]  20  
        *Aug 23 04:06:20.135: RADIUS:   Cisco AVpair       [1]   14  "vrf-id=cisco"
        *Aug 23 04:06:20.135: RADIUS:  Vendor, Cisco       [26]  35  
        *Aug 23 04:06:20.135: RADIUS:   Cisco AVpair       [1]   29  "isakmp-initator-ip=10.1.2.2"
        *Aug 23 04:06:20.135: RADIUS:  Vendor, Cisco       [26]  36  
        *Aug 23 04:06:20.135: RADIUS:   Cisco AVpair       [1]   30  "connect-progress=No Progress"
        *Aug 23 04:06:20.135: RADIUS:  User-Name           [1]   13  "username1"
        *Aug 23 04:06:20.135: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
        *Aug 23 04:06:20.135: RADIUS:  Vendor, Cisco       [26]  25  
        *Aug 23 04:06:20.135: RADIUS:   cisco-nas-port     [2]   19  "FastEthernet0/0.1"
        *Aug 23 04:06:20.135: RADIUS:  NAS-Port            [5]   6   0                         
        *Aug 23 04:06:20.135: RADIUS:  NAS-IP-Address      [4]   6   10.1.1.147               
        *Aug 23 04:06:20.135: RADIUS:  Acct-Delay-Time     [41]  6   0                         
        *Aug 23 04:06:20.139: RADIUS: Received from id 21645/4 10.1.1.4:1646, Accounting-response, len 20
        *Aug 23 04:06:20.139: RADIUS:  authenticator B7 E3 D0 F5 61 9A 89 D8 - 99 A6 8A 8A 98 79 9D 5D

        Accounting Stop

        An accounting stop packet is generated when there are no more flows (IPsec SA pairs) with the remote peer.

        The accounting stop records contain the following information:

        • Packets out

        • Packets in

        • Octets out

        • Gigawords in

        • Gigawords out

        Below is an account start record that was generated on a router. The account start record is to be sent to the AAA server that is defined.

        *Aug 23 04:20:16.519: RADIUS(00000003): Using existing nas_port 0
        *Aug 23 04:20:16.519: RADIUS(00000003): Config NAS IP: 100.1.1.147
        *Aug 23 04:20:16.519: RADIUS(00000003): sending
        *Aug 23 04:20:16.519: RADIUS(00000003): Send Accounting-Request to 100.1.1.4:1646 id 19, len 238
        *Aug 23 04:20:16.519: RADIUS:  authenticator 82 65 5B 42 F0 3F 17 C3 - 23 F3 4C 35 A2 8A 3E E6
        *Aug 23 04:20:16.519: RADIUS:  Acct-Session-Id     [44]  10  "00000002"
        *Aug 23 04:20:16.519: RADIUS:  Vendor, Cisco       [26]  20  
        *Aug 23 04:20:16.519: RADIUS:   Cisco AVpair       [1]   14  "vrf-id=cisco"
        *Aug 23 04:20:16.519: RADIUS:  Vendor, Cisco       [26]  35  
        *Aug 23 04:20:16.519: RADIUS:   Cisco AVpair       [1]   29  "isakmp-initator-ip=10.1.1.2"
        *Aug 23 04:20:16.519: RADIUS:  Vendor, Cisco       [26]  36  
        *Aug 23 04:20:16.519: RADIUS:   Cisco AVpair       [1]   30  "connect-progress=No Progress"
        *Aug 23 04:20:16.519: RADIUS:  Acct-Session-Time   [46]  6   709                       
        *Aug 23 04:20:16.519: RADIUS:  Acct-Input-Octets   [42]  6   152608                    
        *Aug 23 04:20:16.519: RADIUS:  Acct-Output-Octets  [43]  6   152608                    
        *Aug 23 04:20:16.519: RADIUS:  Acct-Input-Packets  [47]  6   1004                      
        *Aug 23 04:20:16.519: RADIUS:  Acct-Output-Packets [48]  6   1004  
        *Apr 23 04:20:16.519: RADIUS:  Acct-Input-Giga-Word[52]  6   0                         
        *Apr 23 04:20:16.519: RADIUS:  Acct-Output-Giga-Wor[53]  6   0                                             
        *Aug 23 04:20:16.519: RADIUS:  Acct-Terminate-Cause[49]  6   none                      [0]
        *Aug 23 04:20:16.519: RADIUS:  Vendor, Cisco       [26]  32  
        *Aug 23 04:20:16.519: RADIUS:   Cisco AVpair       [1]   26  "disc-cause-ext=No Reason"
        *Aug 23 04:20:16.519: RADIUS:  Acct-Status-Type    [40]  6   Stop                      [2]
        *Aug 23 04:20:16.519: RADIUS:  Vendor, Cisco       [26]  25  
        *Aug 23 04:20:16.519: RADIUS:   cisco-nas-port     [2]   19  "FastEthernet0/0.1"
        *Aug 23 04:20:16.519: RADIUS:  NAS-Port            [5]   6   0                         
        *Aug 23 04:20:16.519: RADIUS:  NAS-IP-Address      [4]   6   100.1.1.147               
        *Aug 23 04:20:16.519: RADIUS:  Acct-Delay-Time     [41]  6   0                         
        *Aug 23 04:20:16.523: RADIUS: Received from id 21645/19 100.1.1.4:1646, Accounting-response, len 20
        *Aug 23 04:20:16.523: RADIUS:  authenticator F1 CA C1 28 CE A0 26 C9 - 3E 22 C9 DA EA B8 22 A0

        Accounting Updates

        If accounting updates are enabled, accounting updates are sent while a session is “up.” The update interval is configurable. To enable the accounting updates, use the aaa accounting update command.

        The following is an accounting update record that is being sent from the router:

        Router#
        *Aug 23 21:46:05.263: RADIUS(00000004): Using existing nas_port 0
        *Aug 23 21:46:05.263: RADIUS(00000004): Config NAS IP: 100.1.1.147
        *Aug 23 21:46:05.263: RADIUS(00000004): sending
        *Aug 23 21:46:05.263: RADIUS(00000004): Send Accounting-Request to 100.1.1.4:1646 id 22, len 200
        *Aug 23 21:46:05.263: RADIUS:  authenticator 30 FA 48 86 8E 43 8E 4B - F9 09 71 04 4A F1 52 25
        *Aug 23 21:46:05.263: RADIUS:  Acct-Session-Id     [44]  10  "00000003"
        *Aug 23 21:46:05.263: RADIUS:  Vendor, Cisco       [26]  20  
        *Aug 23 21:46:05.263: RADIUS:   Cisco AVpair       [1]   14  "vrf-id=cisco"
        *Aug 23 21:46:05.263: RADIUS:  Vendor, Cisco       [26]  35  
        *Aug 23 21:46:05.263: RADIUS:   Cisco AVpair       [1]   29  "isakmp-initator-ip=10.1.1.2"
        *Aug 23 21:46:05.263: RADIUS:  Vendor, Cisco       [26]  36  
        *Aug 23 21:46:05.263: RADIUS:   Cisco AVpair       [1]   30  "connect-progress=No Progress"
        *Aug 23 21:46:05.263: RADIUS:  Acct-Session-Time   [46]  6   109                       
        *Aug 23 21:46:05.263: RADIUS:  Acct-Input-Octets   [42]  6   608                       
        *Aug 23 21:46:05.263: RADIUS:  Acct-Output-Octets  [43]  6   608                       
        *Aug 23 21:46:05.263: RADIUS:  Acct-Input-Packets  [47]  6   4                         
        *Aug 23 21:46:05.263: RADIUS:  Acct-Output-Packets [48]  6   4                         
        *Aug 23 21:46:05.263: RADIUS:  Acct-Status-Type    [40]  6   Watchdog                  [3]
        *Aug 23 21:46:05.263: RADIUS:  Vendor, Cisco       [26]  25  
        *Aug 23 21:46:05.263: RADIUS:   cisco-nas-port     [2]   19  "FastEthernet0/0.1"
        *Aug 23 21:46:05.263: RADIUS:  NAS-Port            [5]   6   0                         
        *Aug 23 21:46:05.263: RADIUS:  NAS-IP-Address      [4]   6   100.1.1.147               
        *Aug 23 21:46:05.263: RADIUS:  Acct-Delay-Time     [41]  6   0                         
        *Aug 23 21:46:05.267: RADIUS: Received from id 21645/22 100.1.1.4:1646, Accounting-response, len 20
        *Aug 23 21:46:05.267: RADIUS:  authenticator 51 6B BB 27 A4 F5 D7 61 - A7 03 73 D3 0A AC 1C

        How to Configure IPsec VPN Accounting

        Configuring IPsec VPN Accounting

        Before You Begin

        IPsec must be configured first before configuring IPsec VPN accounting.

        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    aaa new-model

          4.    aaa authentication login list-name method

          5.    aaa authorization network list-name method

          6.    aaa accounting network list-name start-stop [broadcast] group group-name

          7.    aaa session-id common

          8.    crypto isakmp profile profile-name

          9.    vrf ivrf

          10.    match identity group group-name

          11.    client authentication list list-name

          12.    isakmp authorization list list-name

          13.    client configuration address [initiate | respond]

          14.    accounting list-name

          15.    exit

          16.    crypto dynamic-map dynamic-map-name dynamic-seq-num

          17.    set transform-set transform-set-name

          18.    set isakmp-profile profile-name

          19.    reverse-route [remote-peer]

          20.    exit

          21.    crypto map map-name ipsec-isakmp dynamic dynamic-template-name

          22.    radius-server host ip-address [auth-port port-number] [acct-port port-number]

          23.    radius-server key string

          24.    radius-server vsa send accounting

          25.    interface type slot / port

          26.    crypto map map-name


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 enable


          Example:
          Router> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.

           
          Step 2 configure terminal


          Example:
          Router# configure terminal
           

          Enters global configuration mode.

           
          Step 3 aaa new-model


          Example:
          Router (config)# aaa new-model
           

          Enables periodic interim accounting records to be sent to the accounting server.

           
          Step 4 aaa authentication login list-name method


          Example:
          Router (config)# aaa authentication login cisco-client group radius
           

          Enforces authentication, authorization, and accounting (AAA) authentication for extended authorization (XAUTH) through RADIUS or local.

           
          Step 5 aaa authorization network list-name method


          Example:
          Router (config)# aaa authorization network cisco-client group radius
           

          Sets AAA authorization parameters on the remote client from RADIUS or local.

           
          Step 6 aaa accounting network list-name start-stop [broadcast] group group-name


          Example:
          Router (config)# aaa accounting network acc start-stop broadcast group radius
           

          Enables AAA accounting of requested services for billing or security purposes when RADIUS or TACACS+ is used.

           
          Step 7 aaa session-id common


          Example:
          Router (config)# aaa session-id common
           

          Specifies whether the same session ID is used for each AAA accounting service type within a call or whether a different session ID is assigned to each accounting service type.

           
          Step 8 crypto isakmp profile profile-name


          Example:
          Route (config)# crypto isakmp profile cisco
           

          Audits IP security (IPsec) user sessions and enters isakmp-profile submode.

           
          Step 9 vrf ivrf


          Example:
          Router (conf-isa-prof)# vrf cisco
           

          Associates the on-demand address pool with a Virtual Private Network (VPN) routing and forwarding (VRF) instance name.

           
          Step 10 match identity group group-name


          Example:
          Router(conf-isa-prof)# match identity group cisco
           

          Matches an identity from a peer in an ISAKMP profile.

           
          Step 11 client authentication list list-name


          Example:
          Router(conf-isa-prof)# client authentication list cisco
           

          Configures Internet Key Exchange (IKE) extended authentication (XAUTH) in an Internet Security Association and Key Management Protocol (ISAKMP) profile.

           
          Step 12 isakmp authorization list list-name


          Example:
          Router(conf-isa-prof)# isakmp authorization list cisco-client
           

          Configures an IKE shared secret and other parameters using the AAA server in an ISAKMP profile. The shared secret and other parameters are generally pushed to the remote peer through mode configuration (MODECFG).

           
          Step 13 client configuration address [initiate | respond]


          Example:
          Router(conf-isa-prof)# client configuration address respond
           

          Configures IKE mode configuration (MODECFG) in the ISAKMP profile.

           
          Step 14 accounting list-name


          Example:
          Router(conf-isa-prof)# accounting acc
           

          Enables AAA accounting services for all peers that connect through this ISAKMP profile.

           
          Step 15 exit


          Example:
          Router(conf-isa-prof)# exit
           

          Exits isakmp-profile submode.

           
          Step 16 crypto dynamic-map dynamic-map-name dynamic-seq-num


          Example:
          Router(config)# crypto dynamic-map mymap 10 ipsec-isakmp
           

          Creates a dynamic crypto map template and enters the crypto map configuration command mode.

           
          Step 17 set transform-set transform-set-name


          Example:
          Router(config-crypto-map)# set transform-set aswan
           

          Specifies which transform sets can be used with the crypto map template.

           
          Step 18 set isakmp-profile profile-name


          Example:
          Router(config-crypto-map)# set isakmp-profile cisco
           

          Sets the ISAKMP profile name.

           
          Step 19 reverse-route [remote-peer]


          Example:
          Router(config-crypto-map)# reverse-route
           

          Allows routes (ip addresses) to be injected for destinations behind the VPN remote tunnel endpoint and may include a route to the tunnel endpoint itself (using the remote-peer keyword for the crypto map.

           
          Step 20 exit


          Example:
          Router(config-crypto-map)# exit
           

          Exits dynamic crypto map configuration mode.

           
          Step 21 crypto map map-name ipsec-isakmp dynamic dynamic-template-name


          Example:
          Router(config)# crypto map mymap ipsec-isakmp dynamic dmap
           

          Enters crypto map configuration mode

           
          Step 22 radius-server host ip-address [auth-port port-number] [acct-port port-number]


          Example:
          Router(config)# radius-server host 172.16.1.4
           

          Specifies a RADIUS server host.

           
          Step 23 radius-server key string


          Example:
          Router(config)# radius-server key nsite
           

          Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.

           
          Step 24 radius-server vsa send accounting


          Example:
          Router(config)# radius-server vsa send accounting
           

          Configures the network access server to recognize and use vendor-specific attributes.

           
          Step 25 interface type slot / port


          Example:
          Router(config)# interface FastEthernet 1/0
           

          Configures an interface type and enters interface configuration mode.

           
          Step 26 crypto map map-name


          Example:
          Router(config-if)# crypto map mymap
           

          Applies a previously defined crypto map set to an interface.

           

          Configuring Accounting Updates

          To send accounting updates while a session is “up,” perform the following optional task:

          Before You Begin

          IPsec VPN accounting must be configured before accounting updates are configured. See Configuring IPsec VPN Accounting for more information.

          SUMMARY STEPS

            1.    enable

            2.    configure terminal

            3.    aaa accounting update periodic number


          DETAILED STEPS
             Command or ActionPurpose
            Step 1 enable


            Example:
            Router> enable
             

            Enables privileged EXEC mode.

            • Enter your password if prompted.

             
            Step 2 configure terminal


            Example:
            Router# configure terminal
             

            Enters global configuration mode.

             
            Step 3 aaa accounting update periodic number


            Example:
            Router (config)# aaa accounting update periodic 1-2147483647
             

            (Optional) Enables periodic interim accounting records to be sent to the accounting server.

             

            Troubleshooting for IPsec VPN Accounting

            To display messages about IPsec accounting events, perform the following optional task:

            SUMMARY STEPS

              1.    enable

              2.    debug crypto isakmp aaa


            DETAILED STEPS
               Command or ActionPurpose
              Step 1 enable


              Example:
              Router> enable
               

              Enables privileged EXEC mode.

              • Enter your password if prompted.

               
              Step 2 debug crypto isakmp aaa


              Example:
              Router# debug crypto isakmp aaa
               

              Displays messages about Internet Key Exchange (IKE) events.

              • The aaa keyword specifies accounting events.

               

              Configuration Examples for IPsec VPN Accounting

              Accounting and ISAKMP-Profile Example

              The following example shows a configuration for supporting remote access clients with accounting and ISAKMP profiles:

              version 2.1 
              service timestamps debug datetime msec 
              service timestamps log datetime msec 
              no service password-encryption 
              ! 
              hostname sheep 
              ! 
              aaa new-model 
              ! 
              ! 
              aaa accounting network ipsecaaa start-stop group radius 
              aaa accounting update periodic 1 
              aaa session-id common 
              ip subnet-zero 
              ip cef 
              ! 
              ! 
              no ip domain lookup 
              ip domain name cisco.com 
              ip name-server 172.29.2.133 
              ip name-server 172.29.11.48 
              ! 
              ! 
              crypto isakmp policy 1 
              authentication pre-share 
              group 2 
              ! 
              crypto isakmp policy 10 
              hash md5 
              authentication pre-share 
              lifetime 200 
              crypto isakmp key cisco address 172.31.100.2 
              crypto iakmp client configuration group cclient
               key jegjegjhrg
               pool addressA
               
              crypto-isakmp profile groupA
               vrf cisco 
               match identity group cclient 
               client authentication list cisco-client 
               isakmp authorization list cisco-client 
               client configuration address respond 
               accounting acc 
              ! 
              ! 
              crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac 
              !
              crypto dynamic-map remotes 1
              set peer 172.31.100.2 
              set security-association lifetime seconds 120 
              set transform-set esp-des-md5 
              reverse-route
              ! 
              crypto map test 10 ipsec-isakmp dynamic remotes
              ! 
              voice call carrier capacity active 
              ! 
              interface Loopback0 
              ip address 10.20.20.20 255.255.255.0 
              no ip route-cache 
              no ip mroute-cache 
              ! 
              interface FastEthernet0/0 
              ip address 10.2.80.203 255.255.255.0 
              no ip mroute-cache 
              load-interval 30 
              duplex full 
              ! 
              interface FastEthernet1/0 
              ip address 192.168.219.2 255.255.255.0 
              no ip mroute-cache 
              duplex auto 
              speed auto 
              ! 
              interface FastEthernet1/1 
              ip address 172.28.100.1 255.255.255.0 
              no ip mroute-cache 
              duplex auto 
              speed auto 
              crypto map test 
              ! 
              no fair-queue 
              ip default-gateway 10.2.80.1 
              ip classless 
              ip route 10.0.0.0 0.0.0.0 10.2.80.1 
              ip route 10.20.0.0 255.0.0.0 10.2.80.56 
              ip route 10.10.10.0 255.255.255.0 172.31.100.2 
              ip route 10.0.0.2 255.255.255.255 10.2.80.73 
              ip local pool addressA 192.168.1.1 192.168.1.253
              no ip http server 
              ip pim bidir-enable 
              ! 
              ! 
              ip access-list extended encrypt 
              permit ip host 10.0.0.1 host 10.5.0.1 
              ! 
              access-list 101 permit ip host 10.20.20.20 host 10.10.10.10 
              ! 
              ! 
              radius-server host 172.27.162.206 auth-port 1645 acct-port 1646 key cisco123 
              radius-server retransmit 3 
              radius-server authorization permit missing Service-Type 
              radius-server vsa send accounting 
              call rsvp-sync 
              ! 
              ! 
              mgcp profile default 
              ! 
              dial-peer cor custom 
              ! 
              ! 
              gatekeeper 
              shutdown 
              ! 
              ! 
              line con 0 
              exec-timeout 0 0 
              exec prompt timestamp 
              line aux 0 
              line vty 5 15 
               ntp server 172.31.150.52 
              end

              Accounting Without ISAKMP Profiles Example

              The following example shows a full Cisco IOS XE configuration that supports accounting remote access peers when ISAKMP profiles are not used:

              version 2.1
              service timestamps debug datetime msec
              service timestamps log datetime msec
              no service password-encryption
              !
              hostname sheep
              !
              aaa new-model
              !
              !
              aaa accounting network ipsecaaa start-stop group radius
              aaa accounting update periodic 1
              aaa session-id common
              ip subnet-zero
              ip cef
              !
              !
              no ip domain lookup
              ip domain name cisco.com
              ip name-server 172.29.2.133
              ip name-server 172.29.11.48
              !
              !
              crypto isakmp policy 1
               authentication pre-share
               group 2
              !
              crypto isakmp policy 10
               hash md5
               authentication pre-share
               lifetime 200
              crypto isakmp key cisco address 172.31.100.2
              !
              !
              crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac 
              !
              crypto map test client accounting list ipsecaaa
              crypto map test 10 ipsec-isakmp 
               set peer 172.31.100.2
               set security-association lifetime seconds 120
               set transform-set esp-des-md5 
               match address 101
              !
              voice call carrier capacity active
              !
              interface Loopback0
               ip address 10.20.20.20 255.255.255.0
               no ip route-cache
               no ip mroute-cache
              !
              interface FastEthernet0/0
               ip address 10.2.80.203 255.255.255.0
               no ip mroute-cache
               load-interval 30
               duplex full
              !
              interface FastEthernet1/0
               ip address 192.168.219.2 255.255.255.0
               no ip mroute-cache
               duplex auto
               speed auto
              !
              interface FastEthernet1/1
               ip address 172.28.100.1 255.255.255.0
               no ip mroute-cache
               duplex auto
               speed auto
               crypto map test
              !
              no fair-queue
              ip default-gateway 10.2.80.1
              ip classless
              ip route 10.0.0.0 0.0.0.0 10.2.80.1
              ip route 10.30.0.0 255.0.0.0 10.2.80.56
              ip route 10.10.10.0 255.255.255.0 172.31.100.2
              ip route 10.0.0.2 255.255.255.255 10.2.80.73
              no ip http server
              ip pim bidir-enable
              !
              !
              ip access-list extended encrypt
               permit ip host 10.0.0.1 host 10.5.0.1
              !
              access-list 101 permit ip host 10.20.20.20 host 10.10.10.10
              !
              !
              radius-server host 172.27.162.206 auth-port 1645 acct-port 1646 key cisco123
              radius-server retransmit 3
              radius-server authorization permit missing Service-Type
              radius-server vsa send accounting
              call rsvp-sync
              !
              !
              mgcp profile default
              !
              dial-peer cor custom
              !
              !
              gatekeeper
               shutdown
              !
              !
              line con 0
               exec-timeout 0 0
               exec prompt timestamp
              line aux 0
              line vty 5 15
              !
              exception core-file ioscrypto/core/sheep-core
              exception dump 172.25.1.129
              ntp clock-period 17208229
              ntp server 172.71.150.52
              !
              end

              Additional References

              Related Documents

              Related Topic

              Document Title

              Configuring AAA accounting

              “ Configuring Accounting ” module in the Cisco IOS XE Security Configuration Guide: Securing User Services

              Configuring IPsec VPN accounting

              “ Configuring Security for VPNs with IPsec ” module in the Cisco IOS XE Security Configuration Guide: Secure Connectivity

              Configuring basic AAA RADIUS

              “ Configuring RADIUS ” module in the Cisco IOS XE Security Configuration Guide: Securing User Services

              Configuring ISAKMP profiles

              “ VRF-Aware IPsec ” module in the Cisco IOS XE Security Configuration Guide: Secure Connectivity

              Privilege levels with TACACS+ and RADIUS

              • “ Configuring TACACS+ ” module in the Cisco IOS XE Security Configuration Guide: Securing User Services

              • “ Configuring RADIUS ” module in the Cisco IOS XE Security Configuration Guide: Securing User Services

              IP security, RADIUS, and AAA commands

              Cisco IOS Security Command Reference

              Standards

              Standard

              Title

              None.

              --

              MIBs

              MIB

              MIBs Link

              None.

              To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

              http:/​/​www.cisco.com/​go/​mibs

              RFCs

              RFC

              Title

              None.

              Technical Assistance

              Description

              Link

              The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

              To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

              Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

              http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

              Feature Information for IPsec VPN Accounting

              The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

              Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
              Table 3 Feature Information for IPsec VPN Accounting

              Feature Name

              Releases

              Feature Information

              IPsec VPN Accounting

              Cisco IOS XE Release 2.1

              The IPsec VPN Accounting feature allows for a session to be accounted for by indicating when the session starts and when it stops.

              A VPN session is defined as an IKE SA and the one or more SA pairs that are created by the IKE SA. The session starts when the first IPsec pair is created and stops when all IPsec SAs are deleted.

              Session identifying information and session usage information is passed to the RADIUS server through standard RADIUS attributes and VSAs.

              The following commands were introduced or modified: client authentication list, client configuration address, crypto isakmp profile, crypto map (global IPsec), debug crypto isakmp, isakmp authorization list, match identity, set isakmp-profile, vrf.

              Glossary

              IKE --Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for services (such as IP security [IPsec]) that require keys. Before any IPsec traffic can be passed, each router, firewall, and host must verify the identity of its peer. This can be done by manually entering preshared keys into both hosts or by a certification authority (CA) service.

              IPsec --IP security. IPsec is A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPsec provides these security services at the IP layer. IPsec uses IKE to handle the negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPsec. IPsec can protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

              ISAKMP --Internet Security Association and Key Management Protocol. ISAKMP is an Internet IPsec protocol (RFC 2408) that negotiates, establishes, modifies, and deletes security associations. It also exchanges key generation and authentication data (independent of the details of any specific key generation technique), key establishment protocol, encryption algorithm, or authentication mechanism.

              L2TP session --Layer 2 Transport Protocol. L2TP are communications transactions between the L2TP access concentrator (LAC) and the L2TP network server (LNS) that support tunneling of a single PPP connection. There is a one-to-one relationship among the PPP connection, L2TP session, and L2TP call.

              NAS --network access server. A NAS is a Cisco platform (or collection of platforms, such as an AccessPath system) that interfaces between the packet world (for example, the Internet) and the circuit world (for example, the public switched telephone network [PSTN]).

              PFS --perfect forward secrecy. PFS is a cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys.

              QM --Queue Manager. The Cisco IP Queue Manager (IP QM) is an intelligent, IP-based, call-treatment and routing solution that provides powerful call-treatment options as part of the Cisco IP Contact Center (IPCC) solution.

              RADIUS --Remote Authentication Dial-In User Service. RADIUS is a database for authenticating modem and ISDN connections and for tracking connection time.

              RSA --Rivest, Shamir, and Adelman. Rivest, Shamir, and Adelman are the inventors of the Public-key cryptographic system that can be used for encryption and authentication.

              SA --security association. A SA is an instance of security policy and keying material that is applied to a data flow.

              TACACS+ --Terminal Access Controller Access Control System Plus. TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server.

              VPN --Virtual Private Network. A VPN enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses "tunneling" to encrypt all information at the IP level.

              VRF --A VPN routing/forwarding instance. A VRF consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine what goes into the forwarding table. In general, a VRF includes the routing information that defines a customer VPN site that is attached to a PE router.

              VSA --vendor-specific attribute. A VSA is an attribute that has been implemented by a particular vendor. It uses the attribute Vendor-Specific to encapsulate the resulting AV pair: essentially, Vendor-Specific = protocol:attribute = value.

              XAUTH --Extended authentication. XAUTH is an optional exchange between IKE Phase 1 and IKE Phase 2, in which the router demands additional authentication information in an attempt to authenticate the actual user (as opposed to authenticating the peer).