Access VPDN Dial-in Using IPSec Over L2TP

Table Of Contents

Access VPDN Dial-in Using IPSec Over L2TP

Business Objectives

Original Network Topology

Business Drivers

Possible Solutions

Proposed Solution No. 2: IPSec Tunnel Between the Peer and LNS

Overview

Network Topology

Benefits

Functional Description

Overview of Call Establishment

IPSec Negotiation Process

Implementation

Prerequisites

Design Considerations

Ramifications

Device Characteristics

Configuration Summaries

Configuring the Peer for IPSec over VPDN

Configuring the LAC for IPSec over VPDN

Configuring the LNS for IPSec over VPDN

Configuring the LNS TACACS+ Server for VPDN

Complete Configuration Files

Peer Configuration

LAC Configuration

LNS Configuration

LNS TACACS+ Server Configuration

Debug Output

Peer Debug Output from Successful IPSec Negotiation

LNS Debug Output From Successful IPSec Negotiation

Related Documents

Access VPDN Dial-in Using IPSec Over L2TP

---

Version Number	Date	Notes
1	11/17/2000	This document was created.

This document describes how an Internet service provider (ISP) partners with one of its enterprise customers to add Internet Protocol Security (IPSec) encryption to an existing virtual private dial network (VPDN).

VPDNs are networks that extend dial access to users over a shared infrastructure. They use Layer 2 tunneling protocols L2F, L2TP or PPTP to tunnel user calls through the Internet. They are a cost-effective method of establishing long-distance point-to-point connections between remote users and a private network.

However, the Internet is subject to many security threats including loss of privacy, loss of data integrity, identity spoofing, and denial of service. The Layer 2 tunneling protocols do not offer protection from these threats. The goal of IPSec is to minimize all of these threats in the existing network infrastructure itself, without requiring expensive host and application modifications.

---

Note Although the network used to document this solution is a fully functioning, end-to-end network and the complete configurations for the devices are included, this document focuses on the IPSec configurations. It does not discuss in detail such features as basic IP connectivity and VPDN configuration.

---

This document contains the following sections:

•Business Objectives

•Possible Solutions

•Proposed Solution No. 2: IPSec Tunnel Between the Peer and LNS

•Implementation

•Complete Configuration Files

•Debug Output

•Related Documents

Business Objectives

The ISP has established a VPDN network to offer remote access service to its customers. It now wants to expand this VPDN service to include encryption. The goal of the ISP is to implement this encryption service as quickly, easily, and inexpensively as possible without disrupting the existing network or purchasing new equipment.

The enterprise company has leased VPDN service from the ISP to connect its remote office to its headquarters office. This VPDN service is sufficient for nonsensitive traffic, but now the enterprise wants to be able to securely send sensitive traffic between the remote office and the headquarters. The enterprise determines that only the connection between the remote office and headquarters needs encryption—mobile users that dial-in from laptop PCs need not establish encrypted sessions.

Original Network Topology

The enterprise and ISP have already configured a VPDN network. Figure 1 shows the original VPDN network topology without IPSec.

Figure 1 Original Network Topology

Figure 1 shows the entire end-to-end network topology; however, only the devices described in Table 1 are critical to the VPDN functionality.

Table 1 VPDN Devices

Device Name	Device Chassis	Location	Maintained by	Function
Peer	Cisco 1720 router	Enterprise remote office	Enterprise	Remote users are connected to the peer. The peer initiates VPDN calls from the remote office to the enterprise headquarters.
LAC	Cisco AS5800 access server	Local ISP point-of-presence (POP)	ISP	The L2TP access concentrator (LAC) receives calls from the peer and then negotiates L2TP tunnels and sessions with the L2TP network server (LNS) to forward the calls to the LNS.
LNS	Cisco 7206 router	Enterprise headquarters	Enterprise	The LNS negotiates L2TP tunnels and sessions with the LAC.
LNS TACACS+ server	UNIX server	Enterprise headquarters	Enterprise	User names, passwords, and accounting records for the LNS are stored on the LNS AAA server. When the LNS receives a request to establish an L2TP session from the LAC, it forwards the user information to the LNS AAA server for authentication and authorization.

In this network, users at the enterprise remote office are connected to the peer. When users need to connect to the headquarters office, the peer initiates a VPDN session that uses L2TP to tunnel the user session to the headquarters office. First the peer establishes a PPP session with the local LAC of the ISP. The LAC retrieves L2TP tunneling information from the LAC AAA server, and then establishes an L2TP tunnel and session with the LNS at the enterprise headquarters. The LNS forwards the user name and password to the LNS AAA server for authentication and authorization. Once the user is authenticated and authorized, the user has access to the headquarters network.

Business Drivers

The preexisting VPDN network uses L2TP to tunnel PPP traffic over the Internet. Because L2TP does not encrypt traffic, both the control and data packets of the L2TP protocol are vulnerable to the following types of attacks:

•Discovery of user identities by snooping data packets.

•Modification packets (both control and data).

•Hijacking of the L2TP tunnel or the PPP connection inside the tunnel.

•Denial of service attacks that terminate PPP connections or L2TP tunnels.

•Disruption of the PPP Encryption Control Protocol (ECP) negotiation in order to weaken or remove confidentiality protection.

•Disruption of the PPP Link Control Protocol (LCP) authentication negotiation so as to weaken the PPP authentication process or gain access to user passwords.

IPSec addresses these threats in the following ways:

•Providing authentication, integrity, and replay protection of control packets.

•Providing integrity and replay protection of data packets.

•Protecting control packet confidentiality.

•Providing the option of a scalable approach to key management.

L2TP tunnel authentication provides mutual authentication between the LAC and the LNS at tunnel origination. Therefore, it does not protect control and data traffic on a per-packet basis. PPP authenticates the client to the LNS, but also does not provide per-packet authentication, integrity, or replay protection.

We recommend IPSec as the best method to ensure per-packet authentication, integrity, and replay protection.

Possible Solutions

Possible Solution No. 1: IPSec Tunnel Between the LAC and LNS

The client initiates a PPP session (either by itself or by using a peer) to the LAC. The LAC negotiates an L2TP tunnel with the LNS and forwards the client PPP session to the LNS. The LAC and LNS then negotiate an IPSec tunnel to encrypt the client PPP session. The session is encrypted between the LAC and LNS, which is the segment of the network most susceptible to attack, but it is not encrypted between the client and the LAC.

Possible Solution No. 2: IPSec Tunnel Between the Peer and LNS

The client connects to the peer, and the peer initiates a PPP session to the LAC. The LAC negotiates an L2TP tunnel with the LNS and forwards the client PPP session to the LNS. The peer and LNS then negotiate an IPSec tunnel to encrypt the client PPP session. In this solution, the only segment of the network that is not encrypted is the connection between the client and the peer. But because the client and peer are typically in the same office, this solution usually is not a security risk.

Possible Solution No. 3: IPSec Tunnel Between the Client and LNS

The client initiates a PPP session (either by itself or by using a peer) to the LAC. The LAC negotiates an L2TP tunnel with the LNS and forwards the client PPP session to the LNS. The client and LNS then negotiate an IPSec tunnel to encrypt the client PPP session. In this solution, the entire network is encrypted. This solution is useful when a peer is shared by different parties. It is also useful for mobile users that do not have access to a peer but still need a secure remote connection. The disadvantages of this solution are that it requires that every client be configured for IPSec (instead of just the single peer), and that IPSec negotiation may take longer on clients than on the peer.

Proposed Solution No. 2: IPSec Tunnel Between the Peer and LNS

The enterprise company decides to implement solution no. 2 because it is the simplest solution that provides the encryption it needs: The enterprise requires that the entire session be encrypted—not just the link between the LAC and LNS. The enterprise maintains its own peer at the remote office, so it does not need to encrypt the connections between clients and the peer. The enterprise does not need encryption for its mobile users, so it does not need to configure client-initiated IPSec.

Overview

Adding IPSec to an existing VPDN network is a relatively simple process. Usually, no new equipment is required; the existing VPDN devices can be reconfigured to perform IPSec. The only situation in which you might need to purchase new equipment is if the existing equipment does not have enough CPU power to perform IPSec in addition to its existing responsibilities.

Network Topology

Figure 2 shows the end-to-end IPSec VPDN network.

Figure 2 Postimplementation Network Topology

In the new IPSec network, the peer, LAC, and LNS establish L2TP tunnels and sessions exactly as they did in the original network. Once the L2TP tunnel and session are established, the peer initiates IPSec negotiation with the LNS (the LAC is not involved in IPSec). Once the peer and LNS complete IPSec negotiation, the connection is secured from the peer in the remote office to the LNS at the headquarters office.

Benefits

•Because IPSec is standards-based, the network will be able to interoperate with other non-Cisco IPSec-compliant devices.

•Because IPSec does not require any additional devices or any changes to the network topology, it is fast, easy, and inexpensive to deploy on an existing VPDN network.

•Deploying IPSec on the ISDN router instead of on individual PCs eliminates the need to reconfigure every PC in the office.

•IPSec is a flexible security solution: multiple encryption types are supported

IPSec can be reconfigured for more complex, large-scale service that uses such features as digital certificates, dynamic crypto maps, dynamic tunnel endpoint discovery, wildcard pre-shared keys, multiple certificate authority roots support, and so on.

Functional Description

This section contains the following sections:

•Overview of Call Establishment

•IPSec Negotiation Process

Overview of Call Establishment

Figure 3 shows how an IPSec-encrypted call is established over the VPDN network.

Figure 3 IPSec over VPDN Call Establishment

The following list describes the sequence of events shown in Figure 3:

1. A user in the enterprise remote office initiates a call to the headquarters office from a PC connected to the peer. The peer places a call over the Public Switched Telephone Network (PSTN) to forward the user PPP session to the LAC.

2. When the LAC receives the PPP session, it negotiates an L2TP tunnel with the LNS at the enterprise headquarters.

3. After the LAC and LNS establish an L2TP tunnel, the LAC forwards the user information to the LNS. The LNS authenticates the user and establishes an L2TP session for the user.

4. Once the L2TP tunnel and session are established, the remote user has connectivity to the enterprise headquarters. The peer then initiates IPSec negotiation directly with the LNS (the LAC is not involved in IPSec).

IPSec Negotiation Process

IPSec negotiation is processed by the following three software components: IPSec, Internet Key Exchange (IKE), and the crypto engine.

•IPSec—Initiates IPSec negotiation, and then verifies and implements the IKE negotiations.

•IKE—Negotiates the security policies and security associations (SAs).

•Crypto engine—Performs the actual encryption tasks.

The following list describes how an IPSec session is negotiated by these three software components:

1. After the L2TP tunnel and session are established, IPSec on the peer initiates IPSec negotiation.

2. IKE verifies the pre-shared keys.

3. IKE verifies which SA it is configured to support.

4. The crypto engine generates ALG parameters for Dh phase 1.

5. IKE verifies the IKE policy of the other device.

6. The crypto engine creates the ISAKMP SKEYID, generates HMAC context, and clears the dh number.

7. IKE compares the incoming transform sets against its allowed transform sets and negotiates the appropriate SAs. IKE first compares the AH protocol transforms, and then the ESP protocol transforms.

8. IPSec accepts the SAs negotiated by IKE.

9. IKE creates four SAs:

–AH protocol inbound

–AH protocol outbound

–ESP protocol inbound

–ESP protocol outbound

10. IPSec initializes these SAs.

11. IPSec installs the new SA information into its SA database.

For detailed information about IPSec negotiation, see "Debug Output" later in this document.

Implementation

The following sections describe how the IPSec network is implemented:

•Prerequisites

•Design Considerations

•Ramifications

•Device Characteristics

•Configuration Summaries

Prerequisites

Before IPSec is configured , the ISP and enterprise need to establish VPDN connectivity between the enterprise remote office and the headquarters using the ISP LAC to establish L2TP tunnels with the enterprise LNS.

IPSec uses IP protocols 50 and 51, and IKE traffic passes on protocol 17, port 500 (UDP 500). Before configuring IPSec, you should ensure that these protocols and ports are permitted by access lists.

Before configuring IPSec, you also should ensure that the any keyword is not used in any access lists.

Design Considerations

When designing an IPSec network, you will make a number of decisions. Most involve choosing between increased performance and increased security. The following sections provide details on these decisions:

•Authentication only, or Authentication and Encryption

•Encryption Algorithm

•Hash Algorithm

•Authentication Method

•Diffie-Hellman Group Identifier Options

•Security Association Lifetimes

Authentication only, or Authentication and Encryption

IPSec can be configured to perform authentication only, or both authentication and encryption.

Decision: The enterprise decides that its data needs to be both authenticated and encrypted.

Encryption Algorithm

IPSec offers the choice of two encryption algorithms: 56-bit DES-CBC or 168-bit DES. 168-bit DES is the more secure of the two encryption algorithms, but it requires more time and processing power than 56-bit DES-CBC. Also, there are international restrictions on 168-bit encryption.

Decision: The enterprise decides that 56-bit DES-CBC encryption is sufficient for its needs.

Hash Algorithm

IPSec offers the choice of two hash algorithms: SHA-1 and MD5. MD5 is slightly faster. There has been a demonstrated successful (but extremely difficult) attack against MD5; however, the HMAC variant used by IKE prevents this attack.

Decision: The enterprise decides to use the SHA-1 hash algorithm.

Authentication Method

IPSec offers three authentication methods:

•Rivest, Shamir, and Adleman (RSA) signatures—The most secure and the most scalable. However they require the use of a certification authority, which makes RSA signatures the most difficult option to configure.

•RSA encrypted nonces—Do not require that the peers possess the public keys of each other, but do not require the use of a certification authority. They are easier to configure in a small network, but do not scale well for large-scale networks.

•Pre-shared keys—The simplest authentication method. They do not scale well for large-scale networks, and are not as secure as RSA signatures.

Decision: The enterprise decides to make its initial IPSec configuration as simple as possible, so it decides to use pre-shared keys.

Diffie-Hellman Group Identifier Options

The Diffie-Hellman identifier is used for deriving key materials between peers. IPSec offers the choice of 768-bit or 1024-bit Diffie-Hellman groups. The 1024-bit Diffie-Hellman group is more secure, but requires more CPU time to execute.

Decision: The enterprise decides that the 768-bit Diffie-Hellman group is sufficient.

Security Association Lifetimes

The lifetimes of IKE security associations can be configured to any desired value. The default value is 86,400 seconds, or one day. When the first IKE negotiation begins, SAs are negotiated. Each peer retains the SAs until the SA lifetime expires. Any subsequent IKE negotiations can reuse these SAs, which speeds future negotiations. Therefore, longer lifetimes can increase performance, but they also increase SAs exposure to attack. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and used in an attack.

Decision: The enterprise decides to use the default value of 86,400-second SA lifetimes.

Ramifications

•Scaling limitations

Although using pre-shared authentication keys is the simplest way to implement IPSec, it is not a practical solution for large-scale networks. Therefore, if the ISP wants to expand its IPSec service, it should reconfigure IPSec to use digital certificates obtained from a certificate authority.

•Limitations of initiating IPSec at the ISDN router:

When IPSec is initiated at the ISDN router, the connection between the PC and the ISDN router is not encrypted. Usually, this un-encrypted link is not a security concern because the PC and ISDN router are both located in the same office. However, in some circumstances, the ISDN router may be shared by multiple parties. In this case, the connection between the PC and ISDN router could be subject to attack.

Also, initiating IPSec at the ISDN router limits security for mobile users. The connection between the mobile PC and the ISDN router will not be encrypted. This connection is over the PSTN, which is less susceptible to attack than is the Internet. Therefore it is not a critical security concern, but it is a concern for highly sensitive data.

Device Characteristics

Figure 4 shows added details of the devices critical to performing IPSec over VPDN.

Figure 4 Details of Network Topology

Device Characteristics

Table 2 describes the devices shown in Figure 4.

Table 2 Hardware and Software Used

	ISDN Router	LAC	LNS
Host Name	isdn4	NAS5-58-RS	ISP3AC5
Chassis Type	Cisco 1720 router	Cisco AS5800 access server	Cisco 7206 VXR router
Physical Interfaces	2 serial 1 BRI 1 Fast Ethernet 6 dialers	5 Fast Ethernet 6 Ethernet 6 serial 3 dialers	4 Fast Ethernet 5 Ethernet
Software Loaded	Cisco IOS Release 12.1(4)T	Cisco IOS Release 12.1(4)T	Cisco IOS Release 12.1(3)
Ethernet IP Address and IP Address Ranges	Fast Ethernet 0: 192.232.1.25	Fast Ethernet 0/0/0: 192.232.0.33 (primary) Fast Ethernet 0/5/0: 192.232.0.41 (secondary)	Fast Ethernet 0/0: 192.250.3.9 (to RADIUS server) Fast Ethernet 3/0: 192.250.3.2 (to ISP3DA4, used for VPDN traffic) IP local pool ISP3POOL: 192.239.192.1 192.239.199.254

Configuration Summaries

The following sections contain the sections of the device configurations needed to enable IPSec on an L2TP network:

•Configuring the Peer for IPSec over VPDN

•Configuring the LAC for IPSec over VPDN

•Configuring the LNS for IPSec over VPDN

•Configuring the LNS TACACS+ Server for VPDN

Configuring the Peer for IPSec over VPDN

The following commands are necessary to enable a peer to dial in to the LAC and negotiate IPSec with the LNS:

!Identifies the version of Cisco IOS software running on the LAC.

version 12.1

!Includes millisecond timestamps on log and debug entries that are useful for

!troubleshooting and optimizing the network.

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

!Specifies that passwords will not be encrypted in configuration output. This is useful

!when first configuring a network, but is a security risk when the network is

!operational. 

no service password-encryption

!

!Configures the hostname of the router.

hostname isdn4

!

logging buffered 4096 debugging

enable secret 5 $1$r4OC$rE0tf7GTYYZFc80M5SRJL0

!

username nas2-52 password 0 lab

!

!

memory-size iomem 15

!Configures the timezone and Daylight Savings Time adjustment.

clock timezone PDT -8

clock summer-time PDT recurring

!Allows for the configuration of the first subnet in each classfull network.

ip subnet-zero

!

isdn switch-type basic-5ess

isdn voice-call-failure 0

!

!

!Creates IKE policy 1, which would be given highest priority if there were additional IKE 
!policies.  

crypto isakmp policy 1

!Specifies that IKE will use pre-shared keys for authentication.

 authentication pre-share

!By default, this IKE policy will use the 56-bit DES-CBC encryption algorithm, the SHA-1 
!hash algorithm, the 768-bit Diffie-Hellman group, and 86400 second SA lifetimes.

!

!Specifies the pre-shared key as cisco123 for negotiation with the LNS at IP address 
!192.250.3.2. This pre-shared key must also be specified on the LNS for the peer IP 
!address.

crypto isakmp key cisco123 address 192.250.3.2

!By default, the peer's ISAKMP identity is set as its IP address, 192.232.1.25.

!

!Creates the transform set called e2e. It includes an AH transform, an ESP encryption 
!transform, and an ESP authentication transform. The transform set on the LNS must 
!include all three of these transforms for successful negotiation.

crypto ipsec transform-set e2e ah-md5-hmac esp-des esp-md5-hmac 

!

!

!Creates the crypto map called vpdn-isg, gives it a sequence number (priority) of 10, and 
!specifies that IKE will be used to establish IPSec security associations.

crypto map vpdn-isg 10 ipsec-isakmp

!Specifies the IP address of the LNS.

 set peer 192.250.3.2

!Instructs the crypto map to use the e2e transform set.

 set transform-set e2e

!Specifies that extended access list 101 will be used to determine which traffic is to be 
!protected by IPSec.

 match address 101

!

cns event-service server

!

!

interface BRI0

 description "Lucent BRI # 60153"

 no ip address

 encapsulation ppp

 no ip route-cache

 no ip mroute-cache

 dialer pool-member 1

 isdn switch-type basic-5ess

 isdn incoming-voice modem

 no fair-queue

 no cdp enable

!Specifies that traffic using BRI 0 is to be encrypted by crypto map vpdn-isg.

 crypto map vpdn-isg

!

!FastEthernet 0 is the interface that is used for VPDN and IPSec traffic.

interface FastEthernet0

 ip address 192.232.1.25 255.255.255.248

 speed auto

 half-duplex

 no cdp enable

!

!Dialer 6 is used to establish the initial PPP connection to the LAC.

interface Dialer6

 description "vpdn dialup to ISP3AC5 192.250.3.0 via NAS5-58-RS"

 ip unnumbered FastEthernet0

 encapsulation ppp

 no ip route-cache

 no ip mroute-cache

 dialer pool 1

!Specifies the remote name of the LAC.

 dialer remote-name isp3ac5-hgw

!Specifies the PRI number of the LAC.

 dialer string 50127

 dialer-group 1

 no cdp enable

 ppp authentication chap pap callin

 ppp chap hostname isdn4@isp3-2.com

 ppp chap password 7 09404F0B

!Specifies that traffic using dialer 6 is to encrypted by crypto map vpdn-isg.

 crypto map vpdn-isg

!

ip classless

ip route 192.232.1.24 255.255.255.248 FastEthernet0

ip route 192.250.3.2 255.255.255.255 Dialer6

ip route 0.0.0.0 0.0.0.0 Dialer6

no ip http server

!

!Specifies that traffic from 192.232.1.24 (the peer) to 192.250.3.0 (the LNS) is to be 
!permitted. Because this access list is reference in crypto map vpdn-isg, traffic meeting 
the requirements of this access list will be encrypted by crypto map vpdn-isg.

access-list 101 permit ip 192.232.1.24 0.0.0.7 192.250.3.0 0.0.0.7

dialer-list 1 protocol ip permit

!

!

end

For the complete configuration, see "Peer Configuration."

Configuring the LAC for IPSec over VPDN

The following commands are necessary to enable the LAC to receive calls from the peer and forward them to the LNS using L2TP. The LAC is not involved in IPSec negotiation.

!Identifies the version of Cisco IOS software running on the LAC

version 12.1

!Includes millisecond timestamps on log and debug entries that are useful for

!troubleshooting and optimizing the network

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

!Specifies that passwords will not be encrypted in configuration output. This is useful

!when first configuring a network, but is a security risk when the network is

!operational. 

no service password-encryption

!

!Configures the hostname for the LAC.

hostname NAS5-58-RS

!

boot system flash c5800-p456i-mz.121-4.0.1.T

!Configures AAA and specifies that the LAC will authenticate VPDN tunnels with RADIUS.

aaa new-model

aaa authentication ppp default if-needed local group radius

!

!Configures the usernames and passwords that are used for VPDN tunnel negotiation. These 
!usernames and passwords are called tunnel secrets.

username isp3ac5-hgw password 0 lab

username isdn-nas5-isp3 password 0 lab

!

!

!Configures the timezone and Daylight Savings Time adjustment.

clock timezone PDT -8

clock summer-time PDT recurring

dial-tdm-clock  priority 1 trunk-slot 0 port 0

!

!

!Allows for the configuration of the first subnet in each classfull network.

ip subnet-zero

ip cef

no ip domain-lookup

!

!Turns on VPDN.

vpdn enable

no vpdn logging

!Instructs the LAC to tunnel VPDN calls based on the user domain name.

vpdn search-order domain 

!

!This is the VPDN group for the enterprise.

vpdn-group 1

!Configures a request dial-in VPDN subgroup.

 request-dialin

!Configures L2TP as the tunnel protocol.

  protocol l2tp

!Specifies that users with the domain name isp3-2.com will be tunneled by this VPDN

!group.

 domain isp3-2.com

!Specifies the IP address of the enterprise LNS. 

!

 initiate-to ip 192.250.3.2 

!Configures the local name that the ISP will use to identify itself for L2TP tunnel

!authentication with the service provider LNS. If the ISP expands to a stacked-LAC

!environment, it will need to use the same local name on all of the LACs.

 local name isdn-nas5-isp3

!

!Configures the telco switch type. When the switch type is configured in global

!configuration mode, it is automatically propagated into the individual serial

!interfaces.

isdn switch-type primary-5ess

!

!

!

controller T1 1/0/4

!Configures the T1 framing type as super frame (ESF).

 framing esf

!Configures the LAC to gets its primary clocking from T1 controller 0.

 clock source line primary

!Configures the T1 line code type as B8ZS.

 linecode b8zs

!Assigns all 24 T1 timeslots as ISDN PRI channels and creates a D-channel serial

!interface (Serial interface 0:23). Individual B-channel serial interfaces are also

!created (Serial interfaces 0:0 through 0:22), but they are not shown in the

!configuration.

 pri-group timeslots 1-24

!Includes the PRI number that corresponds to this controller in the configuration for 
!easy reference. 

 description LucentPRInumber = 50127

!

!

interface FastEthernet0/0/0

 description "This is the IP id for this router"

 ip address 192.232.0.33 255.255.255.248

 full-duplex

!

interface FastEthernet0/5/0

 description "This is the secondary interface for router"

 ip address 192.232.0.41 255.255.255.248

 full-duplex

!

!

!

!Serial interface 1/0/4:23 is the D channel that corresponds to controller T1 1/0/4. The 
!behavior of the B-channel serial interfaces (1/0/4:0 through 1/0/4:22) is controlled by 
!the configuration of Serial interface 1/0/4:23.

interface Serial1/0/4:23

!Includes the PRI number that corresponds to this interface in the configuration for 
!easy reference. 

 description LucentPRInumber = 50127

!Specifies that the interface does not require an IP address.

 no ip address

 encapsulation ppp

 ip mroute-cache

 dialer rotary-group 1

 dialer-group 1

!This command is automatically configured on all of the serial interfaces by the isdn

!switch-type global configuration mode command.

 isdn switch-type primary-5ess

!

!

interface Dialer1

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 dialer in-band

 dialer map ip 192.232.1.25 name isdn4

 dialer-group 1

 peer default ip address pool NAS5POOL

 ppp authentication chap pap ms-chap

!

!

ip classless

ip route 192.232.1.24 255.255.255.248 192.232.1.25

ip route 192.232.1.25 255.255.255.255 Dialer1

ip route 192.250.3.0 255.255.255.248 192.232.0.38

ip route 192.250.3.0 255.255.255.248 192.232.0.44

no ip http server

!

access-list 10 permit 192.232.0.0 0.0.255.255

access-list 101 permit ip 192.232.0.32 0.0.0.7 192.232.1.40 0.0.0.7

dialer-list 1 protocol ip permit

!

!

!

!Specifies the IP address of the RADIUS server, and the ports that are to be sued for 
!authorization and accounting.

radius-server host 192.232.0.122 auth-port 1645 acct-port 1646

!Specifies that 

radius-server retransmit 5

!Configures the password for the RADIUS server.

radius-server key <key>

!

!

!

end

For the complete LAC configuration, see "LAC Configuration."

Configuring the LNS for IPSec over VPDN

The following commands are necessary to enable the LNS to establish L2TP tunnels and sessions with the LAC and to negotiate IPSec with the peer:

!Identifies the version of Cisco IOS software running on the LAC.

version 12.1

!Includes millisecond timestamps on log and debug entries that are useful for

!troubleshooting and optimizing the network.

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

!Specifies that passwords will not be encrypted in configuration output. This is useful

!when first configuring a network, but is a security risk when the network is

!operational. 

no service password-encryption

service udp-small-servers

service tcp-small-servers

!

!Configures the hostname of the router.

hostname ISP3AC5

!

boot system disk0:c7200-jo3s56i-mz.121-3.3

!

!Configures AAA and specifies that the LAC will authenticate VPDN tunnels with TACACS+.

aaa new-model

aaa authentication ppp default local group tacacs+

!

!

!

!Configures the usernames and passwords that are used for VPDN tunnel negotiation. These 
!usernames and passwords are called tunnel secrets.

username isdn-nas5-isp3 password 0 lab

username isp3ac5-hgw password 0 lab

!

!

!Configures the timezone and Daylight Savings Time adjustment.

clock timezone PST -8

clock summer-time PST recurring

!Allows for the configuration of the first subnet in each classfull network.

ip subnet-zero

no ip finger

no ip domain-lookup

!

!Turns on VPDN.

vpdn enable

no vpdn logging

!

!

!This is the VPDN group that negotiates with the ISP LAC.

vpdn-group 2

!Configures an accept-dialin VPDN subgroup.

 accept-dialin

!Specifies that this VPDN group will negotiate either L2F or L2TP tunnels.

  protocol any

!Instructs the LNS to clone virtual access interfaces for VPDN sessions from virtual

!template 3.

  virtual-template 3

!Specifies that this VPDN group will negotiate L2TP tunnels with LACs that identify

!themselves with the local name isdn-nas5-isp3.

 terminate-from hostname isdn-nas5-isp3

 local name isp3ac5-hgw

!

!Creates IKE policy 1, which would be given highest priority if there were additional IKE 
!policies.  

crypto isakmp policy 1

!Specifies that IKE will use pre-shared keys for authentication.

 authentication pre-share

!By default, this IKE policy will use the 56-bit DES-CBC encryption algorithm, the SHA-1 
!hash algorithm, the 768-bit Diffie-Hellman group, and 86400 second SA lifetimes.

!

!Specifies the pre-shared key as cisco123 for negotiation with the peer at IP address 
!192.232.1.25. This pre-shared key must also be specified on the peer for the LNS IP 
!address.

!By default, the LNS's ISAKMP identity is set as its IP address, 192.250.3.2.

crypto isakmp key cisco123 address 192.232.1.25

!The next two pre-shared keys are for IPSec tunnels to other peers (not shown in this 
!network) at the IP addresses 192.232.1.33.57, and 192.232.1.57.

crypto isakmp key cisco123 address 192.232.1.33

crypto isakmp key cisco123 address 192.232.1.57

!

!

!Creates the transform set called e2e. It includes an AH transform, an ESP encryption 
!transform, and an ESP authentication transform. The transform set on the LNS must 
!include all three of these transforms for successful negotiation.

crypto ipsec transform-set e2e ah-md5-hmac esp-des esp-md5-hmac 

!

!Creates the crypto map called vpdn-isg, gives it a sequence number (priority) of 10, and 
!specifies that IKE will be used to establish IPSec security associations.

crypto map vpdn-isg 10 ipsec-isakmp

!Specifies the IP address of the peer.

 set peer 192.232.1.25

!Instructs the crypto map to use the e2e transform set.

 set transform-set e2e

!Specifies that extended access list 102 will be used to determine which traffic is to be 
!protected by IPSec.

 match address 102

!The next two crypto maps are for the IPSec tunnels to other peers not shown in this 
!network.

crypto map vpdn-isg 20 ipsec-isakmp   

 set peer 192.232.1.33

 set transform-set e2e 

 match address 103

crypto map vpdn-isg 30 ipsec-isakmp   

 set peer 192.232.1.57

 set transform-set e2e 

 match address 104

!

cns event-service server

!

!

interface FastEthernet0/0

 description "network to the TACACS+ server - stss-ss20"

 ip address 192.250.3.9 255.255.255.248

 full-duplex

!

!

interface FastEthernet3/0

 description To ISP3DA4, Fa5/1

 ip address 192.250.3.2 255.255.255.248

 no ip route-cache

 no ip mroute-cache

 half-duplex

!

!

!

!Creates virtual template 3, which is used to clone virtual access interfaces for

!incoming VPDN sessions.

interface Virtual-Template3

!Specifies that the virtual access interfaces will use the IP address of Fast Ethernet

!interface 3/0.

 ip unnumbered FastEthernet3/0

 no ip route-cache

 no keepalive

!Enables CHAP and PAP authentication.

 ppp authentication chap

!Specifies that traffic using virtual-access interfaces cloned from virtual template 3 is 
!to be encrypted by crypto map vpdn-isg.

 crypto map vpdn-isg

!

ip local pool ISP3POOL 192.239.192.1 192.239.199.254

ip kerberos source-interface any

no ip classless

ip route 0.0.0.0 0.0.0.0 192.250.3.1

ip route 192.232.1.0 255.255.255.248 192.232.1.1

ip route 192.232.1.8 255.255.255.248 192.232.1.9

ip route 192.232.1.16 255.255.255.248 192.232.1.17

ip route 192.232.1.24 255.255.255.248 192.232.1.25

ip route 192.232.1.32 255.255.255.248 192.232.1.33

ip route 192.232.1.40 255.255.255.248 192.232.1.41

ip route 192.232.1.48 255.255.255.248 192.232.1.49

ip route 192.232.1.56 255.255.255.248 192.232.1.57

no ip http server

!

!Specifies that traffic from 192.250.3.0 (the LNS) to 192.232.1.24 (the peer) is to be 
!permitted. Because this access list is reference in crypto map vpdn-isg, traffic meeting 
!the requirements of this access list will be encrypted by crypto map vpdn-isg.

access-list 102 permit ip 192.250.3.0 0.0.0.7 192.232.1.24 0.0.0.7

!The next two access lists are for the IPSec tunnels to other peers not shown in this 
!network.

access-list 103 permit ip 192.250.3.0 0.0.0.7 192.232.1.32 0.0.0.7

access-list 104 permit ip 192.250.3.0 0.0.0.7 192.232.1.56 0.0.0.7

!

!Specifies the IP address of the TACACS+ server.

tacacs-server host 223.255.254.254

!Configures the password for the TACACS+ server.

tacacs-server key cisco12345

!

!

!

!

end

For the complete LNS configuration, see "LNS Configuration."

Configuring the LNS TACACS+ Server for VPDN

The following user profile enables the LNS TACACS+ server to verify a user who dials in with the username isdn4@isp3-2com and the password lab.

user = isdn4@isp3-2com{

      password = chap "lab"

      service=ppp {

      protocol=lcp {

      }

      protocol=ip {

      }

Complete Configuration Files

The following sections contain the complete device configurations:

•Peer Configuration

•LNS Configuration

•LAC Configuration

•LNS TACACS+ Server Configuration

Peer Configuration

!

hostname isdn4

!

logging buffered 4096 debugging

enable secret 5 $1$r4OC$rE0tf7GTYYZFc80M5SRJL0

!

username nas2-52 password 0 lab

!

!

!

!

memory-size iomem 15

clock timezone PDT -8

clock summer-time PDT recurring

ip subnet-zero

no ip finger

ip ftp username anonymous

ip ftp password cywang@cisco.com 

no ip domain-lookup

ip host tftp-ipc 223.255.254.254

ip host NAS3-53 192.232.0.17

ip host NAS2-52 192.232.0.9

!

ip audit notify log

ip audit po max-events 100

isdn switch-type basic-5ess

isdn voice-call-failure 0

!

!

!

!

!

!

!

crypto isakmp policy 1

 authentication pre-share

crypto isakmp key cisco123 address 192.250.3.2

!

!

crypto ipsec transform-set e2e ah-md5-hmac esp-des esp-md5-hmac 

!

crypto map vpdn-isg 10 ipsec-isakmp   

 set peer 192.250.3.2

 set transform-set e2e 

 match address 101

!

cns event-service server

!

!

!

!

interface Serial0

 no ip address

 shutdown

 no fair-queue

 no cdp enable

!

interface Serial1

 no ip address

 shutdown

 no cdp enable

!

interface BRI0

 description "Lucent BRI # 60153"

 no ip address

 encapsulation ppp

 no ip route-cache

 no ip mroute-cache

 dialer pool-member 1

 isdn switch-type basic-5ess

 isdn incoming-voice modem

 no fair-queue

 no cdp enable

 crypto map vpdn-isg

!

interface FastEthernet0

 ip address 192.232.1.25 255.255.255.248

 speed auto

 half-duplex

 no cdp enable

!

interface Dialer1

 description "dialup to NAS2-52 to I & 192.232.0.8 network"

 ip unnumbered FastEthernet0

 encapsulation ppp

 no ip mroute-cache

 dialer pool 1

 dialer remote-name NAS2-52

 dialer idle-timeout 180

 dialer string 50151

 dialer-group 1

 pulse-time 0

 no cdp enable

 ppp authentication chap pap callin

 ppp chap hostname isdn4

!

interface Dialer5

 description "vpdn dialup to local1.com" via NAS5-58

 ip unnumbered FastEthernet0

 encapsulation ppp

 dialer pool 1

 dialer remote-name LOCAL1HGW-45

 dialer string 50120

 dialer-group 1

 no cdp enable

 ppp authentication chap pap callin

 ppp chap hostname isdn4@l2tplocal1.com

 ppp chap password 7 00081204

!

interface Dialer6

 description "vpdn dialup to ISP3AC5 192.250.3.0 via NAS5-58-RS"

 ip unnumbered FastEthernet0

 encapsulation ppp

 no ip route-cache

 no ip mroute-cache

 dialer pool 1

 dialer remote-name isp3ac5-hgw

 dialer string 50127

 dialer-group 1

 no cdp enable

 ppp authentication chap pap callin

 ppp chap hostname isdn4@isp3-2.com

 ppp chap password 7 09404F0B

 crypto map vpdn-isg

!

ip default-gateway 192.232.0.17

ip kerberos source-interface any

ip classless

ip route 192.232.0.8 255.255.255.248 192.232.0.9

ip route 192.232.0.9 255.255.255.255 Dialer1

ip route 192.232.3.0 255.255.255.248 192.232.3.1

ip route 192.232.3.1 255.255.255.255 Dialer5

ip route 192.250.3.0 255.255.255.248 192.250.3.2

ip route 192.250.3.2 255.255.255.255 Dialer6

ip route 192.255.201.55 255.255.255.255 192.232.0.22

ip route 223.255.254.0 255.255.255.0 FastEthernet0

no ip http server

!

access-list 101 permit ip 192.232.1.24 0.0.0.7 192.250.3.0 0.0.0.7

dialer-list 1 protocol ip permit

no cdp run

!

!

line con 0

 exec-timeout 0 0

 transport input none

line aux 0

line vty 0 4

 exec-timeout 0 0

 password lab

 login

!

exception protocol ftp

exception dump 223.255.254.254

sntp server 223.255.254.254

no scheduler allocate

end

LAC Configuration

Current configuration : 20078 bytes

!

! Last configuration change at 11:13:34 PDT Fri Sep 29 2000

! NVRAM config last updated at 17:23:52 PDT Thu Sep 28 2000

!

version 12.1

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

no service password-encryption

service compress-config

!

hostname NAS5-58-RS

!

boot system flash c5800-p456i-mz.121-4.0.1.T

aaa new-model

aaa authentication login NO_Auth none

aaa authentication login VTY local-case group radius

aaa authentication ppp default if-needed local group radius

aaa authorization network default local group radius 

aaa accounting suppress null-username

aaa accounting exec NO_Auth stop-only group radius

aaa accounting network default start-stop group radius

enable secret 5 $1$K7AO$bfpHNfllIAngDnnrC4lAK1

!

username cisco password 0 lab

username nas5-l2tp password 0 lab

username local1-hgw password 0 lab

username nas5 password 0 lab

username nas5-b2b password 0 lab

username isp3ac5-hgw password 0 lab

username isdn-nas5-isp3 password 0 lab

username linux-nas5-isp3 password 0 lab

username peer1-58-RS password 0 lab

username async4 password 0 lab

username CGb000 password 0 lab

!

!

!

!

shelf-id 0 router-shelf

shelf-id 1 dial-shelf

!

!

!

resource-pool disable

!

modem-pool Default

 pool-range 1/3/0-1/3/71,1/4/0-1/4/71,1/5/0-1/5/71,1/6/0-1/6/143,1/7/0-1/7/143

!

clock timezone PDT -8

clock summer-time PDT recurring

dial-tdm-clock  priority 1 trunk-slot 0 port 0

!

!

!

!

ip subnet-zero

ip rcmd rsh-enable

ip cef

no ip domain-lookup

!

vpdn enable

no vpdn logging

vpdn search-order domain 

!

vpdn-group 1

 request-dialin

  protocol l2tp

  domain isp3-1.com

  domain isp3-2.com

 initiate-to ip 192.250.3.2 

 local name isdn-nas5-isp3

!

vpdn-group 2

 request-dialin

  protocol l2tp

  domain l2tplocal1.com

 initiate-to ip 192.232.3.1 

 local name nas5-l2tp

!

vpdn-group 3

 request-dialin

  protocol l2f

  domain l2flocal1.com

  domain vpdn1.com

 initiate-to ip 192.232.3.1 

 local name nas5

!

vpdn-group 4

 request-dialin

  protocol l2tp

  domain vpdn2.com

 initiate-to ip 192.232.3.1 

 local name nas5

!

vpdn-group 5

 request-dialin

  protocol l2tp

  domain isp3-3.com

 initiate-to ip 192.250.3.2 

 local name nas5-b2b

!

isdn switch-type primary-5ess

chat-script dial ABORT "NO CARRIER" TIMEOUT 30 "" at OK "\datd \T" CONNECT

!

!

!

!

!

!

!

crypto isakmp policy 1

 authentication pre-share

!

crypto isakmp policy 2

 authentication pre-share

crypto isakmp key cisco1234 address 192.232.1.41

!

!

crypto ipsec transform-set dial esp-des esp-md5-hmac 

!

crypto map toISDN6 20 ipsec-isakmp   

 set peer 192.232.1.41

 set transform-set dial 

 match address 101

!

!

!

controller T1 1/0/0

 framing esf

 linecode b8zs

 pri-group timeslots 1-24

 description LucentPRInumber = 50120

!

controller T1 1/0/1

 framing esf

 linecode b8zs

 pri-group timeslots 1-24

 description LucentPRInumber = 50121

!

controller T1 1/0/2

 framing esf

 linecode b8zs

 pri-group timeslots 1-24

 description LucentPRInumber = 50122

!

controller T1 1/0/3

 framing esf

 linecode b8zs

 pri-group timeslots 1-24

 description LucentPRInumber = 50126

!

controller T1 1/0/4

 framing esf

 linecode b8zs

 pri-group timeslots 1-24

 description LucentPRInumber = 50127

!

controller T1 1/0/5

 framing esf

 linecode b8zs

 pri-group timeslots 1-24

 description LucentPRInumber = 50128 

!

controller T1 1/0/6

 framing esf

 linecode b8zs

 pri-group timeslots 1-24

 description LucentPRInumber = 50129

!

controller T1 1/0/7

 framing esf

 linecode b8zs

 pri-group timeslots 1-24

 description "btb to callgen router T1-1"

!

controller T1 1/0/8

 framing esf

 linecode b8zs

 pri-group timeslots 1-24

 description "btb to callgen router T1-2"

!

controller T1 1/0/9

 framing esf

 linecode b8zs

 pri-group timeslots 1-24

 description "btb to callgen router T1-3"

!

controller T1 1/0/10

 framing esf

 linecode b8zs

 pri-group timeslots 1-24

 description "btb to callgen router T1-5"

!

controller T1 1/0/11

 framing esf

 linecode b8zs

 pri-group timeslots 1-3,24

!

controller T3 1/1/0

 framing c-bit

 clock source line

 cablelength 224

 t1 1-24,28 controller

!

controller T1 1/1/0:1

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:2

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:3

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:4

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:5

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:6

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:7

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:8

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:9

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:10

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:11

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:12

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:13

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:14

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:15

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:16

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:17

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:18

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:19

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:20

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:21

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:22

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:23

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:24

 framing esf

 pri-group timeslots 1-24

!

controller T1 1/1/0:28

 framing esf

 pri-group timeslots 1-24

!

!

!

interface Loopback0

 ip address 111.111.111.1 255.255.255.0

!

interface Loopback1

 ip address 222.222.222.1 255.255.255.0

!

interface FastEthernet0/0/0

 description "This is the IP id for this router"

 ip address 192.232.0.33 255.255.255.248

 full-duplex

!

interface FastEthernet0/5/0

 description "This is the secondary interface for router"

 ip address 192.232.0.41 255.255.255.248

 full-duplex

!

interface Ethernet0/6/0

 description "temporary connection to e4/0 of tftp-gw1 to tftp-server"

 ip address 192.232.2.4 255.255.255.248

 shutdown

!

interface Ethernet0/6/1

 description "Network to CG-TERM-5300 ethernet 0"

 ip address 193.0.1.2 255.255.255.0 secondary

 ip address 193.0.1.3 255.255.255.0 secondary

 ip address 193.0.1.1 255.255.255.0

 no ip mroute-cache

 no cdp enable

!

interface Ethernet0/6/2

 ip address 131.3.81.58 255.255.255.0

!

interface Ethernet0/6/3

 no ip address

!

interface Serial1/0/0:23

 description LucentPRInumber = 50120

 no ip address

 encapsulation ppp

 ip mroute-cache

 dialer rotary-group 1

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 crypto map toISDN6

!

interface Serial1/0/1:23

 description LucentPRInumber = 50121

 no ip address

 encapsulation ppp

 ip mroute-cache

 dialer rotary-group 1

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

!

interface Serial1/0/2:23

 description LucentPRInumber = 50122

 no ip address

 encapsulation ppp

 ip mroute-cache

 dialer rotary-group 1

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

!

interface Serial1/0/3:23

 description LucentPRInumber = 50126

 no ip address

 encapsulation ppp

 ip mroute-cache

 dialer rotary-group 1

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

!

interface Serial1/0/4:23

 description LucentPRInumber = 50127

 no ip address

 encapsulation ppp

 ip mroute-cache

 dialer rotary-group 1

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

!

interface Serial1/0/5:23

 description LucentPRI# = 50128 (huntgroup # = 50199)

 no ip address

 encapsulation ppp

 ip mroute-cache

 dialer rotary-group 1

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

!

interface Serial1/0/6:23

 description LucentPRI# = 50129 (huntgroup # = 50199)

 no ip address

 encapsulation ppp

 ip mroute-cache

 dialer rotary-group 1

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

!

interface Serial1/0/7:23

 description "btb to callgen router T1-1"

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 dialer rotary-group 1

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

!

interface Serial1/0/8:23

 description "btb to callgen router T1-2"

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 dialer rotary-group 1

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

!

interface Serial1/0/9:23

 description "btb to callgen router T1-3"

 no ip address

 encapsulation ppp

 no ip route-cache cef

 ip mroute-cache

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 no peer default ip address

 ppp authentication chap pap

!

interface Serial1/0/10:23

 no ip address

 encapsulation ppp

 no ip route-cache cef

 ip mroute-cache

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 no peer default ip address

 ppp authentication chap pap

!

interface Serial1/0/11:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap

!

interface Serial1/1/0:1:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:2:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:3:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:4:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:5:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:6:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:7:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:8:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:9:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:10:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:11:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:12:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:13:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:14:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:15:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:16:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:17:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:18:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:19:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:20:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:21:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:22:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:23:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:24:23

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip mroute-cache

 load-interval 30

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 ppp authentication chap pap

!

interface Serial1/1/0:28:23

 no ip address

 no ip route-cache cef

 isdn switch-type primary-5ess

 no cdp enable

!

interface Group-Async0

 no ip address

 no group-range

!

interface Group-Async1

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 ip tcp header-compression passive

 no ip mroute-cache

 dialer in-band

 dialer-group 1

 ntp disable

 async default routing

 async mode dedicated

 peer default ip address pool NAS5POOL

 ppp authentication chap pap

 group-range 1/3/00 1/7/143

!

interface Dialer1

 ip unnumbered FastEthernet0/0/0

 encapsulation ppp

 no ip route-cache cef

 no ip route-cache

 no ip mroute-cache

 dialer in-band

 dialer map ip 192.232.1.25 name isdn4

 dialer map ip 192.232.1.33 name isdn5

 dialer map ip 192.232.2.33 name async3

 dialer map ip 192.232.1.41 name isdn6

 dialer map ip 192.232.1.49 name isdn7

 dialer map ip 192.232.1.57 name isdn8

 dialer map ip 192.232.1.1 name isdn1

 dialer map ip 192.232.2.1 async1

 dialer map ip 192.232.1.9 name isdn2

 dialer map ip 192.232.1.17 name isdn3

 dialer-group 1

 peer default ip address pool NAS5POOL

 ppp authentication chap pap ms-chap

 crypto map toISDN6

!

interface Dialer2

 no ip address

 no ip route-cache cef

 no cdp enable

!

interface Dialer3

 no ip address

 no ip route-cache cef

 no cdp enable

!

router rip

 version 2

 redistribute connected

 passive-interface Dialer1

 network 192.232.0.0

 network 192.239.224.0

 network 192.239.225.0

 network 192.239.226.0

 network 192.239.227.0

 no auto-summary

!

ip local pool NAS5POOL 192.239.224.2 192.239.227.254

ip kerberos source-interface any

ip classless

ip route 112.0.0.0 255.0.0.0 192.250.3.2

ip route 122.0.0.0 255.0.0.0 192.250.3.2

ip route 191.0.0.0 255.0.0.0 131.3.81.61

ip route 192.232.1.0 255.255.255.248 192.232.1.1

ip route 192.232.1.8 255.255.255.248 192.232.1.9

ip route 192.232.1.16 255.255.255.248 192.232.1.17

ip route 192.232.1.24 255.255.255.248 192.232.1.25

ip route 192.232.1.32 255.255.255.248 192.232.1.33

ip route 192.232.1.40 255.255.255.248 192.232.1.41

ip route 192.232.1.40 255.255.255.248 Dialer1

ip route 192.232.150.0 255.255.255.0 192.250.3.2

ip route 192.236.2.0 255.255.255.0 192.250.3.2

ip route 192.236.8.0 255.255.248.0 192.250.3.2

ip route 192.236.32.0 255.255.248.0 192.250.3.2

ip route 192.236.48.0 255.255.248.0 192.250.3.2

ip route 192.250.3.0 255.255.255.248 192.232.0.38

ip route 192.250.3.0 255.255.255.248 192.232.0.44 100

ip route 223.255.254.0 255.255.255.0 Ethernet0/6/2

no ip http server

!

access-list 10 permit 192.232.0.0 0.0.255.255

access-list 10 permit 192.239.0.0 0.0.255.255

access-list 101 permit ip 192.232.0.32 0.0.0.7 192.232.1.40 0.0.0.7

access-list 102 permit ip 192.232.0.0 0.0.0.255 192.232.1.0 0.0.0.255

dialer-list 1 protocol ip permit

route-map FILTER permit 10

 match ip address 10

!

!

!

radius-server host 192.232.0.122 auth-port 1645 acct-port 1646

radius-server retransmit 5

radius-server key ciscolab

!

voice-port 1/0/0:D

!

voice-port 1/0/1:D

!

voice-port 1/0/2:D

!

voice-port 1/0/3:D

!

voice-port 1/0/4:D

!

voice-port 1/0/5:D

!

voice-port 1/0/6:D

!

voice-port 1/0/7:D

!

voice-port 1/0/8:D

!

voice-port 1/0/9:D

!

voice-port 1/0/10:D

!

voice-port 1/0/11:D

!

voice-port 1/1/0:1:D

!

voice-port 1/1/0:2:D

!

voice-port 1/1/0:3:D

!

voice-port 1/1/0:4:D

!

voice-port 1/1/0:5:D

!

voice-port 1/1/0:6:D

!

voice-port 1/1/0:7:D

!

voice-port 1/1/0:8:D

!

voice-port 1/1/0:9:D

!

voice-port 1/1/0:10:D

!

voice-port 1/1/0:11:D

!

voice-port 1/1/0:12:D

!

voice-port 1/1/0:13:D

!

voice-port 1/1/0:14:D

!

voice-port 1/1/0:15:D

!

voice-port 1/1/0:16:D

!

voice-port 1/1/0:17:D

!

voice-port 1/1/0:18:D

!

voice-port 1/1/0:19:D

!

voice-port 1/1/0:20:D

!

voice-port 1/1/0:21:D

!

voice-port 1/1/0:22:D

!

voice-port 1/1/0:23:D

!

voice-port 1/1/0:24:D

!

voice-port 1/1/0:28:D

!

dial-peer cor custom

!

!

!

!

line con 0

 exec-timeout 0 0

 login authentication NO_Auth

 transport input none

line aux 0

line vty 0 4

 password lab

 login authentication VTY

line 1/3/00 1/3/71

 exec-timeout 0 0

 activation-character 0

 disconnect-character 0

 autoselect during-login

 autoselect ppp

 script dialer dial

 modem InOut

 no modem log rs232

 transport preferred none

 transport input all

 escape-character soft 0

 escape-character 0

 autohangup

 hold-character 0

line 1/4/00 1/4/71

 exec-timeout 0 0

 activation-character 0

 disconnect-character 0

 autoselect during-login

 autoselect ppp

 script dialer dial

 modem InOut

 no modem log rs232

 transport preferred none

 transport input all

 escape-character soft 0

 escape-character 0

 autohangup

 hold-character 0

line 1/5/00 1/5/71

 exec-timeout 0 0

 activation-character 0

 disconnect-character 0

 autoselect during-login

 autoselect ppp

 script dialer dial

 modem InOut

 no modem log rs232

 transport preferred none

 transport input all

 escape-character soft 0

 escape-character 0

 autohangup

 hold-character 0

line 1/6/00 1/6/143

 exec-timeout 0 0

 activation-character 0

 disconnect-character 0

 autoselect during-login

 autoselect ppp

 script dialer dial

 modem InOut

 no modem log rs232

 transport preferred none

 transport input all

 escape-character soft 0

 escape-character 0

 autohangup

 hold-character 0

line 1/7/00 1/7/143

 exec-timeout 0 0

 activation-character 0

 disconnect-character 0

 autoselect during-login

 autoselect ppp

 script dialer dial

 modem InOut

 no modem log rs232

 transport preferred none

 transport input all

 escape-character soft 0

 escape-character 0

 autohangup

 hold-character 0

!

ntp clock-period 17180177

ntp update-calendar

ntp server 223.255.254.254 version 1

end

LNS Configuration

Current configuration : 37589 bytes

!

! Last configuration change at 13:00:31 PST Tue Oct 3 2000

! NVRAM config last updated at 17:15:00 PST Fri Sep 29 2000 by hkonardi

!

version 12.1

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

no service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname ISP3AC5

!

boot system disk0:c7200-jo3s56i-mz.121-3.3

aaa new-model

aaa authentication login default local-case group tacacs+

aaa authentication login NO_Auth none

aaa authentication ppp default local group tacacs+

aaa authorization network default if-authenticated local group tacacs+ 

aaa accounting exec default start-stop group acacs+

enable password lab

!

!

!

username isdn-nas5-isp3 password 0 lab

username isp3ac5-hgw password 0 lab

!

!

clock timezone PST -8

clock summer-time PST recurring

ip subnet-zero

no ip finger

ip ftp username dial

ip ftp password dial

no ip domain-lookup

ip host tftpserv 223.255.254.254

!

ip multicast-routing

vpdn enable

no vpdn logging

!

vpdn-group 1

 accept-dialin

  protocol any

  virtual-template 1

 terminate-from hostname nas5-to-isp3

 local name isp3ac5-hgw

!

vpdn-group 2

 accept-dialin

  protocol any

  virtual-template 3

 terminate-from hostname isdn-nas5-isp3

 local name isp3ac5-hgw

!

vpdn-group 3

 accept-dialin

  protocol any

  virtual-template 3

 terminate-from hostname nas3

 local name isp3ac5-hgw

!

vpdn-group 4

 accept-dialin

  protocol any

  virtual-template 3

 terminate-from hostname isdn-nas2-isp3

 local name isp3ac5-hgw

!

vpdn-group 5

 accept-dialin

  protocol any

  virtual-template 2

 terminate-from hostname nas5-b2b

 local name isp3ac5-hgw

!

vpdn-group 6

 accept-dialin

  protocol any

  virtual-template 3

 terminate-from hostname nas1

 local name isp3ac5-hgw

!

!

!

crypto isakmp policy 1

 authentication pre-share

crypto isakmp key cisco123 address 192.232.1.25

crypto isakmp key cisco123 address 192.232.1.33

crypto isakmp key cisco123 address 192.232.1.57

!

!

crypto ipsec transform-set e2e ah-md5-hmac esp-des esp-md5-hmac 

!

crypto map vpdn-isg 10 ipsec-isakmp   

 set peer 192.232.1.25

 set transform-set e2e 

 match address 102

crypto map vpdn-isg 20 ipsec-isakmp   

 set peer 192.232.1.33

 set transform-set e2e 

 match address 103

crypto map vpdn-isg 30 ipsec-isakmp   

 set peer 192.232.1.57

 set transform-set e2e 

 match address 104

!

cns event-service server

!

!

!

!

!

!

!

!

!

interface Loopback0

 ip address 192.232.150.2 255.255.255.0 secondary

 ip address 192.232.150.230 255.255.255.0 secondary

 ip address 192.232.150.1 255.255.255.0

 no ip route-cache

 no ip mroute-cache

 no logging event link-status

!

interface FastEthernet0/0

 description "network to the Radius server - stss-ss20"

 ip address 192.250.3.9 255.255.255.248

 full-duplex

!

interface FastEthernet1/0

 no ip address

 full-duplex

 bridge-group 1

!

interface FastEthernet1/1

 no ip address

 bridge-group 1

!

interface Ethernet1/2

 no ip address

 bridge-group 1

!

interface Ethernet1/3

 no ip address

 shutdown

!

interface Ethernet1/4

 no ip address

 shutdown

!

interface Ethernet1/5

 no ip address

 shutdown

!

interface Ethernet1/6

 no ip address

 shutdown

!

interface Ethernet1/7

 no ip address

 shutdown

!

interface Ethernet1/8

 no ip address

 shutdown

!

interface Ethernet1/9

 no ip address

 shutdown

!

interface Ethernet1/10

 no ip address

 shutdown

!

interface Ethernet1/11

 no ip address

 shutdown

!

interface Ethernet1/12

 no ip address

 shutdown

!

interface Ethernet1/13

 no ip address

 shutdown

!

interface FastEthernet3/0

 description To ISP3DA4, Fa5/1

 ip address 192.250.3.2 255.255.255.248

 no ip route-cache

 no ip mroute-cache

 half-duplex

!

interface FastEthernet4/0

 description "to IXIA 01/07/04, the pair of 01/07/03"

 ip address 192.236.8.1 255.255.248.0

 no ip route-cache

 no ip mroute-cache

 load-interval 30

 full-duplex

 no cdp enable

!

interface Ethernet5/0

 no ip address

 no ip route-cache

 no ip mroute-cache

 shutdown

 no cdp enable

!

interface Ethernet5/1

 description To BACKDOOR NETWORK

 ip address 223.255.243.128 255.255.240.0

 no cdp enable

!

interface Ethernet5/2

 no ip address

 shutdown

!

interface Ethernet5/3

 description "to IXIA 01/08/02, the pair of 01/08/01"

 ip address 192.236.32.1 255.255.248.0

 no ip route-cache

 no ip mroute-cache

 no cdp enable

!

interface Ethernet5/4

 description "to IXIA 01/07/01, the pair of 01/07/02"

 ip address 192.236.48.1 255.255.248.0

 no ip route-cache

 no ip mroute-cache

 no cdp enable

!

interface Ethernet5/5

 no ip address

!

interface Ethernet5/6

 no ip address

 shutdown

!

interface Ethernet5/7

 ip address 10.10.10.13 255.255.255.0

!

interface Virtual-Template1

 ip unnumbered FastEthernet3/0

 no keepalive

 peer default ip address pool ISP3POOL

 ppp authentication chap pap

!

interface Virtual-Template2

 ip unnumbered FastEthernet3/0

 no ip route-cache

 load-interval 30

 no keepalive

 peer default ip address pool ISP3POOL

 ppp authentication chap pap

!

interface Virtual-Template3

 ip unnumbered FastEthernet3/0

 no ip route-cache

 no keepalive

 ppp authentication chap pap

 crypto map vpdn-isg

!

ip local pool ISP3POOL 192.239.192.1 192.239.199.254

ip kerberos source-interface any

no ip classless

ip route 0.0.0.0 0.0.0.0 192.250.3.1

ip route 192.232.1.0 255.255.255.248 192.232.1.1

ip route 192.232.1.8 255.255.255.248 192.232.1.9

ip route 192.232.1.16 255.255.255.248 192.232.1.17

ip route 192.232.1.24 255.255.255.248 192.232.1.25

ip route 192.232.1.32 255.255.255.248 192.232.1.33

ip route 192.232.1.40 255.255.255.248 192.232.1.41

ip route 192.232.1.48 255.255.255.248 192.232.1.49

ip route 192.232.1.56 255.255.255.248 192.232.1.57

no ip http server

!

access-list 102 permit ip 192.250.3.0 0.0.0.7 192.232.1.24 0.0.0.7

access-list 103 permit ip 192.250.3.0 0.0.0.7 192.232.1.32 0.0.0.7

access-list 104 permit ip 192.250.3.0 0.0.0.7 192.232.1.56 0.0.0.7

snmp-server engineID local 00000009020000027D419C00

snmp-server community public RO

snmp-server community STSS RW

snmp-server packetsize 2048

snmp-server contact Mark Manzanares (mmanzana@cisco.com)

snmp-server chassis-id ISP3AC5

snmp-server enable traps snmp authentication linkdown linkup coldstart

snmp-server enable traps casa

snmp-server enable traps gtp

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps channel

snmp-server enable traps snasw alert

snmp-server enable traps hsrp

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps envmon

snmp-server enable traps bgp

snmp-server enable traps ipmulticast

snmp-server enable traps rsvp

snmp-server enable traps frame-relay

snmp-server enable traps syslog

snmp-server enable traps rtr

snmp-server enable traps dlsw

snmp-server enable traps dial

snmp-server enable traps voice poor-qov

snmp-server enable traps xgcp

!

tacacs-server host 223.255.254.254

tacacs-server key cisco12345

bridge 1 protocol ieee

!

alias exec int_desc show int | include Description

alias exec cpu show proc cpu | include CPU

alias exec mem show mem free | include Processor

!

line con 0

 exec-timeout 0 0

 login authentication NO_Auth

 transport input none

line aux 0

 exec-timeout 0 0

line vty 0 4

 exec-timeout 0 0

 password lab

line vty 5 15

 password lab

!

exception protocol ftp

exception region-size 36864

exception flash all disk0:

ntp clock-period 17180166

ntp update-calendar

ntp server 223.255.254.254 version 1

end

LNS TACACS+ Server Configuration

user = isdn4@isp3-2com{

      password = chap "lab"

      service=ppp {

      protocol=lcp {

      }

      protocol=ip {

      }

Debug Output

The following sections shows debug output from successful IPSec negotiation between the peer and LNS:

•Peer Debug Output from Successful IPSec Negotiation

•LNS Debug Output From Successful IPSec Negotiation

Peer Debug Output from Successful IPSec Negotiation

isdn4#show debug

Cryptographic Subsystem:

  Crypto ISAKMP debugging is on

  Crypto Engine debugging is on

  Crypto IPSEC debugging is on

isdn4#

isdn4#

*Mar  1 16:22:53 PDT: IPSEC(sa_request): ,

  (key eng. msg.) src= 192.232.1.25, dest= 192.250.3.2, 

    src_proxy= 192.232.1.24/255.255.255.248/0/0 (type=4), 

    dest_proxy= 192.250.3.0/255.255.255.248/0/0 (type=4),

    protocol= AH, transform= ah-md5-hmac , 

    lifedur= 3600s and 4608000kb, 

    spi= 0x87E2ABDD(2279779293), conn_id= 0, keysize= 0, flags= 0x4004

*Mar  1 16:22:53 PDT: IPSEC(sa_request): ,

  (key eng. msg.) src= 192.232.1.25, dest= 192.250.3.2, 

    src_proxy= 192.232.1.24/255.255.255.248/0/0 (type=4), 

    dest_proxy= 192.250.3.0/255.255.255.248/0/0 (type=4),

    protocol= ESP, transform= esp-des esp-md5-hmac , 

    lifedur= 3600s and 4608000kb, 

    spi= 0x9400618(155190808), conn_id= 0, keysize= 0, flags= 0x4004

*Mar  1 16:22:53 PDT: ISAKMP: received ke message (1/2)

*Mar  1 16:22:53 PDT: ISAKMP: local port 500, remote port 500

*Mar  1 16:22:53 PDT: ISAKMP (0:1): beginning Main Mode exchange

*Mar  1 16:22:53 PDT: ISAKMP (0:1): sending packet to 192.250.3.2 (I) MM_NO_STATE

.

*Mar  1 16:22:56 PDT: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up.

*Mar  1 16:22:56 PDT: %DIALER-6-BIND: Interface BR0:1 bound to profile Di6...

Success rate is 0 percent (0/5)

isdn4#

*Mar  1 16:23:02 PDT: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 50127

 unknown

*Mar  1 16:23:02 PDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, cha

nged state to up

*Mar  1 16:23:02 PDT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has

 invalid spi for

        destaddr=192.232.1.25, prot=51, spi=0x1C080522(470287650)

*Mar  1 16:23:03 PDT: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...

*Mar  1 16:23:03 PDT: ISAKMP (0:1): incrementing error counter on sa: retransmit 

phase 1

*Mar  1 16:23:03 PDT: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

*Mar  1 16:23:03 PDT: ISAKMP (0:1): sending packet to 192.250.3.2 (I) MM_NO_STATE

*Mar  1 16:23:03 PDT: ISAKMP (0:1): received packet from 192.250.3.2 (I) MM_NO_ST

ATE

*Mar  1 16:23:03 PDT: ISAKMP (0:1): processing SA payload. message ID = 0

*Mar  1 16:23:03 PDT: ISAKMP (0:1): found peer pre-shared key matching 192.250.3.

2

*Mar  1 16:23:03 PDT: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 

1 policy

*Mar  1 16:23:03 PDT: ISAKMP:      encryption DES-CBC

*Mar  1 16:23:03 PDT: ISAKMP:      hash SHA

*Mar  1 16:23:03 PDT: ISAKMP:      default group 1

*Mar  1 16:23:03 PDT: ISAKMP:      auth pre-share

*Mar  1 16:23:03 PDT: ISAKMP (0:1): atts are acceptable. Next payload is 0

*Mar  1 16:23:03 PDT: CryptoEngine0: generate alg parameter

*Mar  1 16:23:03 PDT: CRYPTO_ENGINE: Dh phase 1 status: 0

*Mar  1 16:23:03 PDT: CRYPTO_ENGINE: Dh phase 1 status: 0

*Mar  1 16:23:03 PDT: ISAKMP (0:1): SA is doing pre-shared key authentication usi

ng id type ID_IPV4_ADDR

*Mar  1 16:23:03 PDT: ISAKMP (0:1): sending packet to 192.250.3.2 (I) MM_SA_SETUP

*Mar  1 16:23:03 PDT: ISAKMP (0:1): received packet from 192.250.3.2 (I) MM_SA_SE

TUP

*Mar  1 16:23:03 PDT: ISAKMP (0:1): processing KE payload. message ID = 0

*Mar  1 16:23:03 PDT: CryptoEngine0: generate alg parameter

*Mar  1 16:23:03 PDT: ISAKMP (0:1): processing NONCE payload. message ID = 0

*Mar  1 16:23:03 PDT: ISAKMP (0:1): found peer pre-shared key matching 192.250.3.

2

*Mar  1 16:23:03 PDT: CryptoEngine0: create ISAKMP SKEYID for conn id 1

*Mar  1 16:23:03 PDT: ISAKMP (0:1): SKEYID state generated

*Mar  1 16:23:03 PDT: ISAKMP (0:1): processing vendor id payload

*Mar  1 16:23:03 PDT: ISAKMP (0:1): speaking to another IOS box!

*Mar  1 16:23:03 PDT: ISAKMP (1): ID payload

        next-payload : 8

        type         : 1

        protocol     : 17

        port         : 500

        length       : 8

*Mar  1 16:23:03 PDT: ISAKMP (1): Total payload length: 12

*Mar  1 16:23:03 PDT: CryptoEngine0: generate hmac context for conn id 1

*Mar  1 16:23:03 PDT: ISAKMP (0:1): sending packet to 192.250.3.2 (I) MM_KEY_EXCH

*Mar  1 16:23:03 PDT: ISAKMP (0:1): received packet from 192.250.3.2 (I) MM_KEY_E

XCH

*Mar  1 16:23:03 PDT: ISAKMP (0:1): processing ID payload. message ID = 0

*Mar  1 16:23:03 PDT: ISAKMP (0:1): processing HASH payload. message ID = 0

*Mar  1 16:23:03 PDT: CryptoEngine0: generate hmac context for conn id 1

*Mar  1 16:23:03 PDT: ISAKMP (0:1): SA has been authenticated with 192.250.3.2

*Mar  1 16:23:03 PDT: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 211899

060

*Mar  1 16:23:03 PDT: CryptoEngine0: generate hmac context for conn id 1

*Mar  1 16:23:03 PDT: ISAKMP (0:1): sending packet to 192.250.3.2 (I) QM_IDLE    

*Mar  1 16:23:03 PDT: CryptoEngine0: clear dh number for conn id 1

*Mar  1 16:23:03 PDT: ISAKMP (0:1): received packet from 192.250.3.2 (I) QM_IDLE 

*Mar  1 16:23:03 PDT: CryptoEngine0: generate hmac context for conn id 1

*Mar  1 16:23:03 PDT: ISAKMP (0:1): processing HASH payload. message ID = 2118990

60

*Mar  1 16:23:03 PDT: ISAKMP (0:1): processing SA payload. message ID = 211899060

*Mar  1 16:23:03 PDT: ISAKMP (0:1): Checking IPSec proposal 1

*Mar  1 16:23:03 PDT: ISAKMP: transform 1, AH_MD5

*Mar  1 16:23:03 PDT: ISAKMP:   attributes in transform:

*Mar  1 16:23:03 PDT: ISAKMP:      encaps is 1

*Mar  1 16:23:03 PDT: ISAKMP:      SA life type in seconds

*Mar  1 16:23:03 PDT: ISAKMP:      SA life duration (basic) of 3600

*Mar  1 16:23:03 PDT: ISAKMP:      SA life type in kilobytes

*Mar  1 16:23:03 PDT: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 

*Mar  1 16:23:03 PDT: ISAKMP:      authenticator is HMAC-MD5

*Mar  1 16:23:03 PDT: validate proposal 0

*Mar  1 16:23:03 PDT: ISAKMP (0:1): atts are acceptable.

*Mar  1 16:23:03 PDT: ISAKMP (0:1): Checking IPSec proposal 1

*Mar  1 16:23:03 PDT: ISAKMP: transform 1, ESP_DES

*Mar  1 16:23:03 PDT: ISAKMP:   attributes in transform:

*Mar  1 16:23:03 PDT: ISAKMP:      encaps is 1

*Mar  1 16:23:03 PDT: ISAKMP:      SA life type in seconds

*Mar  1 16:23:03 PDT: ISAKMP:      SA life duration (basic) of 3600

*Mar  1 16:23:03 PDT: ISAKMP:      SA life type in kilobytes

*Mar  1 16:23:03 PDT: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 

*Mar  1 16:23:03 PDT: ISAKMP:      authenticator is HMAC-MD5

*Mar  1 16:23:03 PDT: validate proposal 0

*Mar  1 16:23:03 PDT: ISAKMP (0:1): atts are acceptable.

*Mar  1 16:23:03 PDT: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) dest= 192.250.3.2, src= 192.232.1.25, 

    dest_proxy= 192.250.3.0/255.255.255.248/0/0 (type=4), 

    src_proxy= 192.232.1.24/255.255.255.248/0/0 (type=4),

    protocol= AH, transform= ah-md5-hmac , 

    lifedur= 0s and 0kb, 

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

*Mar  1 16:23:03 PDT: IPSEC(validate_proposal_request): proposal part #2,

  (key eng. msg.) dest= 192.250.3.2, src= 192.232.1.25, 

    dest_proxy= 192.250.3.0/255.255.255.248/0/0 (type=4), 

    src_proxy= 192.232.1.24/255.255.255.248/0/0 (type=4),

    protocol= ESP, transform= esp-des esp-md5-hmac , 

    lifedur= 0s and 0kb, 

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

*Mar  1 16:23:03 PDT: validate proposal request 0

*Mar  1 16:23:04 PDT: ISAKMP (0:1): processing NONCE payload. message ID = 211899

060

*Mar  1 16:23:04 PDT: ISAKMP (0:1): processing ID payload. message ID = 211899060

*Mar  1 16:23:04 PDT: ISAKMP (0:1): processing ID payload. message ID = 211899060

*Mar  1 16:23:04 PDT: CryptoEngine0: generate hmac context for conn id 1

*Mar  1 16:23:04 PDT: ipsec allocate flow 0

*Mar  1 16:23:04 PDT: ipsec allocate flow 0

*Mar  1 16:23:04 PDT: ISAKMP (0:1): Creating IPSec SAs

*Mar  1 16:23:04 PDT:         inbound SA from 192.250.3.2 to 192.232.1.25

        (proxy 192.250.3.0 to 192.232.1.24)

*Mar  1 16:23:04 PDT:         has spi 0x87E2ABDD and conn_id 2000 and flags 4

*Mar  1 16:23:04 PDT:         lifetime of 3600 seconds

*Mar  1 16:23:04 PDT:         lifetime of 4608000 kilobytes

*Mar  1 16:23:04 PDT:         outbound SA from 192.232.1.25    to 192.250.3.2    

 (proxy 192.232.1.24    to 192.250.3.0    )

*Mar  1 16:23:04 PDT:         has spi -213910971 and conn_id 2001 and flags 4

*Mar  1 16:23:04 PDT:         lifetime of 3600 seconds

*Mar  1 16:23:04 PDT:         lifetime of 4608000 kilobytes

*Mar  1 16:23:04 PDT: ISAKMP (0:1): Creating IPSec SAs

*Mar  1 16:23:04 PDT:         inbound SA from 192.250.3.2 to 192.232.1.25

        (proxy 192.250.3.0 to 192.232.1.24)

*Mar  1 16:23:04 PDT:         has spi 0x9400618 and conn_id 2002 and flags 4

*Mar  1 16:23:04 PDT:         lifetime of 3600 seconds

*Mar  1 16:23:04 PDT:         lifetime of 4608000 kilobytes

*Mar  1 16:23:04 PDT:         outbound SA from 192.232.1.25    to 192.250.3.2    

 (proxy 192.232.1.24    to 192.250.3.0    )

*Mar  1 16:23:04 PDT:         has spi -1518012306 and conn_id 2003 and flags 4

*Mar  1 16:23:04 PDT:         lifetime of 3600 seconds

*Mar  1 16:23:04 PDT:         lifetime of 4608000 kilobytes

*Mar  1 16:23:04 PDT: ISAKMP (0:1): sending packet to 192.250.3.2 (I) QM_IDLE    

*Mar  1 16:23:04 PDT: ISAKMP (0:1): deleting node 211899060 error FALSE reason ""

*Mar  1 16:23:04 PDT: IPSEC(key_engine): got a queue event...

*Mar  1 16:23:04 PDT: IPSEC(initialize_sas): ,

  (key eng. msg.) dest= 192.232.1.25, src= 192.250.3.2, 

    dest_proxy= 192.232.1.24/255.255.255.248/0/0 (type=4), 

    src_proxy= 192.250.3.0/255.255.255.248/0/0 (type=4),

    protocol= AH, transform= ah-md5-hmac , 

    lifedur= 3600s and 4608000kb, 

    spi= 0x87E2ABDD(2279779293), conn_id= 2000, keysize= 0, flags= 0x4

*Mar  1 16:23:04 PDT: IPSEC(initialize_sas): ,

  (key eng. msg.) src= 192.232.1.25, dest= 192.250.3.2, 

    src_proxy= 192.232.1.24/255.255.255.248/0/0 (type=4), 

    dest_proxy= 192.250.3.0/255.255.255.248/0/0 (type=4),

    protocol= AH, transform= ah-md5-hmac , 

    lifedur= 3600s and 4608000kb, 

    spi= 0xF33FFA45(4081056325), conn_id= 2001, keysize= 0, flags= 0x4

*Mar  1 16:23:04 PDT: IPSEC(initialize_sas): ,

  (key eng. msg.) dest= 192.232.1.25, src= 192.250.3.2, 

    dest_proxy= 192.232.1.24/255.255.255.248/0/0 (type=4), 

    src_proxy= 192.250.3.0/255.255.255.248/0/0 (type=4),

    protocol= ESP, transform= esp-des esp-md5-hmac , 

    lifedur= 3600s and 4608000kb, 

    spi= 0x9400618(155190808), conn_id= 2002, keysize= 0, flags= 0x4

*Mar  1 16:23:04 PDT: IPSEC(initialize_sas): ,

  (key eng. msg.) src= 192.232.1.25, dest= 192.250.3.2, 

    src_proxy= 192.232.1.24/255.255.255.248/0/0 (type=4), 

    dest_proxy= 192.250.3.0/255.255.255.248/0/0 (type=4),

    protocol= ESP, transform= esp-des esp-md5-hmac , 

    lifedur= 3600s and 4608000kb, 

    spi= 0xA584F86E(2776954990), conn_id= 2003, keysize= 0, flags= 0x4

*Mar  1 16:23:04 PDT: IPSEC(create_sa): sa created,

  (sa) sa_dest= 192.232.1.25, sa_prot= 51, 

    sa_spi= 0x87E2ABDD(2279779293), 

    sa_trans= ah-md5-hmac , sa_conn_id= 2000

*Mar  1 16:23:04 PDT: IPSEC(create_sa): sa created,

  (sa) sa_dest= 192.250.3.2, sa_prot= 51, 

    sa_spi= 0xF33FFA45(4081056325), 

    sa_trans= ah-md5-hmac , sa_conn_id= 2001

*Mar  1 16:23:04 PDT: IPSEC(create_sa): sa created,

  (sa) sa_dest= 192.232.1.25, sa_prot= 50, 

    sa_spi= 0x9400618(155190808), 

    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2002

*Mar  1 16:23:04 PDT: IPSEC(create_sa): sa created,

  (sa) sa_dest= 192.250.3.2, sa_prot= 50, 

    sa_spi= 0xA584F86E(2776954990), 

    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2003

isdn4#

LNS Debug Output From Successful IPSec Negotiation

ISP3AC5#show debug

Cryptographic Subsystem:

  Crypto ISAKMP debugging is on

  Crypto Engine debugging is on

  Crypto Key Exchange debugging is on

  Crypto IPSEC debugging is on

ISP3AC5#

ISP3AC5#

Oct  3 13:05:41 PST: %LINK-3-UPDOWN: Interface Virtual-Access152, changed state t

o up

Oct  3 13:05:47 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Acce

ss152, changed state to up

Oct  3 13:05:48 PST: ISAKMP (0:0): received packet from 192.232.1.25 (N) NEW SA

Oct  3 13:05:48 PST: ISAKMP: local port 500, remote port 500

Oct  3 13:05:48 PST: ISAKMP (0:1365): processing SA payload. message ID = 0

Oct  3 13:05:48 PST: ISAKMP (0:1365): found peer pre-shared key matching 192.232.

1.25

Oct  3 13:05:48 PST: ISAKMP (0:1365): Checking ISAKMP transform 1 against priorit

y 1 policy

Oct  3 13:05:48 PST: ISAKMP:      encryption DES-CBC

Oct  3 13:05:48 PST: ISAKMP:      hash SHA

Oct  3 13:05:48 PST: ISAKMP:      default group 1

Oct  3 13:05:48 PST: ISAKMP:      auth pre-share

Oct  3 13:05:48 PST: ISAKMP (0:1365): atts are acceptable. Next payload is 0

Oct  3 13:05:48 PST: CryptoEngine0: generate alg parameter

Oct  3 13:05:48 PST: CRYPTO_ENGINE: Dh phase 1 status: 0

Oct  3 13:05:48 PST: CRYPTO_ENGINE: Dh phase 1 status: 0

Oct  3 13:05:48 PST: ISAKMP (0:1365): SA is doing pre-shared key authentication u

sing id type ID_IPV4_ADDR

Oct  3 13:05:48 PST: ISAKMP (0:1365): sending packet to 192.232.1.25 (R) MM_SA_SE

TUP

Oct  3 13:05:48 PST: ISAKMP (0:1365): received packet from 192.232.1.25 (R) MM_SA

_SETUP

Oct  3 13:05:48 PST: ISAKMP (0:1365): processing KE payload. message ID = 0

Oct  3 13:05:48 PST: CryptoEngine0: generate alg parameter

Oct  3 13:05:48 PST: ISAKMP (0:1365): processing NONCE payload. message ID = 0

Oct  3 13:05:48 PST: ISAKMP (0:1365): found peer pre-shared key matching 192.232.

1.25

Oct  3 13:05:48 PST: CryptoEngine0: create ISAKMP SKEYID for conn id 1365

Oct  3 13:05:48 PST: ISAKMP (0:1365): SKEYID state generated

Oct  3 13:05:48 PST: ISAKMP (0:1365): processing vendor id payload

Oct  3 13:05:48 PST: ISAKMP (0:1365): speaking to another IOS box!

Oct  3 13:05:48 PST: ISAKMP (0:1365): sending packet to 192.232.1.25 (R) MM_KEY_E

XCH

Oct  3 13:05:48 PST: ISAKMP (0:1365): received packet from 192.232.1.25 (R) MM_KE

Y_EXCH

Oct  3 13:05:48 PST: ISAKMP (0:1365): processing ID payload. message ID = 0

Oct  3 13:05:48 PST: ISAKMP (0:1365): processing HASH payload. message ID = 0

Oct  3 13:05:48 PST: CryptoEngine0: generate hmac context for conn id 1365

Oct  3 13:05:48 PST: ISAKMP (0:1365): SA has been authenticated with 192.232.1.25

Oct  3 13:05:48 PST: ISAKMP (1365): ID payload

        next-payload : 8

        type         : 1

        protocol     : 17

        port         : 500

        length       : 8

Oct  3 13:05:48 PST: ISAKMP (1365): Total payload length: 12

Oct  3 13:05:48 PST: CryptoEngine0: generate hmac context for conn id 1365

Oct  3 13:05:48 PST: CryptoEngine0: clear dh number for conn id 1

Oct  3 13:05:48 PST: ISAKMP (0:1365): sending packet to 192.232.1.25 (R) QM_IDLE 

Oct  3 13:05:48 PST: ISAKMP (0:1365): received packet from 192.232.1.25 (R) QM_ID

LE      

Oct  3 13:05:48 PST: CryptoEngine0: generate hmac context for conn id 1365

Oct  3 13:05:48 PST: ISAKMP (0:1365): processing HASH payload. message ID = 21189

9060

Oct  3 13:05:48 PST: ISAKMP (0:1365): processing SA payload. message ID = 2118990

60

Oct  3 13:05:48 PST: ISAKMP (0:1365): Checking IPSec proposal 1

Oct  3 13:05:48 PST: ISAKMP: transform 1, AH_MD5

Oct  3 13:05:48 PST: ISAKMP:   attributes in transform:

Oct  3 13:05:48 PST: ISAKMP:      encaps is 1

Oct  3 13:05:48 PST: ISAKMP:      SA life type in seconds

Oct  3 13:05:48 PST: ISAKMP:      SA life duration (basic) of 3600

Oct  3 13:05:48 PST: ISAKMP:      SA life type in kilobytes

Oct  3 13:05:48 PST: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 

Oct  3 13:05:48 PST: ISAKMP:      authenticator is HMAC-MD5

Oct  3 13:05:48 PST: validate proposal 0

Oct  3 13:05:48 PST: ISAKMP (0:1365): atts are acceptable.

Oct  3 13:05:48 PST: ISAKMP (0:1365): Checking IPSec proposal 1

Oct  3 13:05:48 PST: ISAKMP: transform 1, ESP_DES

Oct  3 13:05:48 PST: ISAKMP:   attributes in transform:

Oct  3 13:05:48 PST: ISAKMP:      encaps is 1

Oct  3 13:05:48 PST: ISAKMP:      SA life type in seconds

Oct  3 13:05:48 PST: ISAKMP:      SA life duration (basic) of 3600

Oct  3 13:05:48 PST: ISAKMP:      SA life type in kilobytes

Oct  3 13:05:48 PST: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 

Oct  3 13:05:48 PST: ISAKMP:      authenticator is HMAC-MD5

Oct  3 13:05:48 PST: validate proposal 0

Oct  3 13:05:48 PST: ISAKMP (0:1365): atts are acceptable.

Oct  3 13:05:48 PST: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) dest= 192.250.3.2, src= 192.232.1.25, 

    dest_proxy= 192.250.3.0/255.255.255.248/0/0 (type=4), 

    src_proxy= 192.232.1.24/255.255.255.248/0/0 (type=4),

    protocol= AH, transform= ah-md5-hmac , 

    lifedur= 0s and 0kb, 

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

Oct  3 13:05:48 PST: IPSEC(validate_proposal_request): proposal part #2,

  (key eng. msg.) dest= 192.250.3.2, src= 192.232.1.25, 

    dest_proxy= 192.250.3.0/255.255.255.248/0/0 (type=4), 

    src_proxy= 192.232.1.24/255.255.255.248/0/0 (type=4),

    protocol= ESP, transform= esp-des esp-md5-hmac , 

    lifedur= 0s and 0kb, 

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

Oct  3 13:05:48 PST: validate proposal request 0

Oct  3 13:05:48 PST: ISAKMP (0:1365): processing NONCE payload. message ID = 2118

99060

Oct  3 13:05:48 PST: ISAKMP (0:1365): processing ID payload. message ID = 2118990

60

Oct  3 13:05:48 PST: ISAKMP (1365): ID_IPV4_ADDR_SUBNET src 192.232.1.24/255.255.

255.248 prot 0 port 0

Oct  3 13:05:48 PST: ISAKMP (0:1365): processing ID payload. message ID = 2118990

60

Oct  3 13:05:48 PST: ISAKMP (1365): ID_IPV4_ADDR_SUBNET dst 192.250.3.0/255.255.2

55.248 prot 0 port 0

Oct  3 13:05:48 PST: ISAKMP (0:1365): asking for 2 spis from ipsec

Oct  3 13:05:48 PST: IPSEC(key_engine): got a queue event...

Oct  3 13:05:48 PST: IPSEC(spi_response): getting spi 4081056325 for SA 

        from 192.232.1.25    to 192.250.3.2     for prot 2

Oct  3 13:05:48 PST: IPSEC(spi_response): getting spi 2776954990 for SA 

        from 192.232.1.25    to 192.250.3.2     for prot 3

Oct  3 13:05:48 PST: ISAKMP: received ke message (2/2)

Oct  3 13:05:49 PST: CryptoEngine0: generate hmac context for conn id 1365

Oct  3 13:05:49 PST: ISAKMP (0:1365): sending packet to 192.232.1.25 (R) QM_IDLE 

Oct  3 13:05:49 PST: ISAKMP (0:1365): received packet from 192.232.1.25 (R) QM_ID

LE      

Oct  3 13:05:49 PST: CryptoEngine0: generate hmac context for conn id 1365

Oct  3 13:05:49 PST: ipsec allocate flow 0

Oct  3 13:05:49 PST: ipsec allocate flow 0

Oct  3 13:05:49 PST: ISAKMP (0:1365): Creating IPSec SAs

Oct  3 13:05:49 PST:         inbound SA from 192.232.1.25 to 192.250.3.2

        (proxy 192.232.1.24 to 192.250.3.0)

Oct  3 13:05:49 PST:         has spi 0xF33FFA45 and conn_id 2218 and flags 4

Oct  3 13:05:49 PST:         lifetime of 3600 seconds

Oct  3 13:05:49 PST:         lifetime of 4608000 kilobytes

Oct  3 13:05:49 PST:         outbound SA from 192.250.3.2     to 192.232.1.25    

(proxy 192.250.3.0     to 192.232.1.24   )

Oct  3 13:05:49 PST:         has spi -2015188003 and conn_id 2219 and flags 4

Oct  3 13:05:49 PST:         lifetime of 3600 seconds

Oct  3 13:05:49 PST:         lifetime of 4608000 kilobytes

Oct  3 13:05:49 PST: ISAKMP (0:1365): Creating IPSec SAs

Oct  3 13:05:49 PST:         inbound SA from 192.232.1.25 to 192.250.3.2

        (proxy 192.232.1.24 to 192.250.3.0)

Oct  3 13:05:49 PST:         has spi 0xA584F86E and conn_id 2220 and flags 4

Oct  3 13:05:49 PST:         lifetime of 3600 seconds

Oct  3 13:05:49 PST:         lifetime of 4608000 kilobytes

Oct  3 13:05:49 PST:         outbound SA from 192.250.3.2     to 192.232.1.25    

(proxy 192.250.3.0     to 192.232.1.24   )

Oct  3 13:05:49 PST:         has spi 155190808 and conn_id 2221 and flags 4

Oct  3 13:05:49 PST:         lifetime of 3600 seconds

Oct  3 13:05:49 PST:         lifetime of 4608000 kilobytes

Oct  3 13:05:49 PST: ISAKMP (0:1365): deleting node 211899060 error FALSE reason 

"quick mode done (await()"

Oct  3 13:05:49 PST: IPSEC(key_engine): got a queue event...

Oct  3 13:05:49 PST: IPSEC(initialize_sas): ,

  (key eng. msg.) dest= 192.250.3.2, src= 192.232.1.25, 

    dest_proxy= 192.250.3.0/255.255.255.248/0/0 (type=4), 

    src_proxy= 192.232.1.24/255.255.255.248/0/0 (type=4),

    protocol= AH, transform= ah-md5-hmac , 

    lifedur= 3600s and 4608000kb, 

    spi= 0xF33FFA45(4081056325), conn_id= 2218, keysize= 0, flags= 0x4

Oct  3 13:05:49 PST: IPSEC(initialize_sas): ,

  (key eng. msg.) src= 192.250.3.2, dest= 192.232.1.25, 

    src_proxy= 192.250.3.0/255.255.255.248/0/0 (type=4), 

    dest_proxy= 192.232.1.24/255.255.255.248/0/0 (type=4),

    protocol= AH, transform= ah-md5-hmac , 

    lifedur= 3600s and 4608000kb, 

    spi= 0x87E2ABDD(2279779293), conn_id= 2219, keysize= 0, flags= 0x4

Oct  3 13:05:49 PST: IPSEC(initialize_sas): ,

  (key eng. msg.) dest= 192.250.3.2, src= 192.232.1.25, 

    dest_proxy= 192.250.3.0/255.255.255.248/0/0 (type=4), 

    src_proxy= 192.232.1.24/255.255.255.248/0/0 (type=4),

    protocol= ESP, transform= esp-des esp-md5-hmac , 

    lifedur= 3600s and 4608000kb, 

    spi= 0xA584F86E(2776954990), conn_id= 2220, keysize= 0, flags= 0x4

Oct  3 13:05:49 PST: IPSEC(initialize_sas): ,

  (key eng. msg.) src= 192.250.3.2, dest= 192.232.1.25, 

    src_proxy= 192.250.3.0/255.255.255.248/0/0 (type=4), 

    dest_proxy= 192.232.1.24/255.255.255.248/0/0 (type=4),

    protocol= ESP, transform= esp-des esp-md5-hmac , 

    lifedur= 3600s and 4608000kb, 

    spi= 0x9400618(155190808), conn_id= 2221, keysize= 0, flags= 0x4

Oct  3 13:05:49 PST: IPSEC(create_sa): sa created,

  (sa) sa_dest= 192.250.3.2, sa_prot= 51, 

    sa_spi= 0xF33FFA45(4081056325), 

    sa_trans= ah-md5-hmac , sa_conn_id= 2218

Oct  3 13:05:49 PST: IPSEC(create_sa): sa created,

  (sa) sa_dest= 192.232.1.25, sa_prot= 51, 

    sa_spi= 0x87E2ABDD(2279779293), 

    sa_trans= ah-md5-hmac , sa_conn_id= 2219

Oct  3 13:05:49 PST: IPSEC(create_sa): sa created,

  (sa) sa_dest= 192.250.3.2, sa_prot= 50, 

    sa_spi= 0xA584F86E(2776954990), 

    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2220

Oct  3 13:05:49 PST: IPSEC(create_sa): sa created,

  (sa) sa_dest= 192.232.1.25, sa_prot= 50, 

    sa_spi= 0x9400618(155190808), 

    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2221

Oct  3 13:05:49 PST: IPSEC(add_sa): peer asks for new SAs -- expire current in 12

0 sec.,

  (sa) sa_dest= 192.232.1.25, sa_prot= 50, 

    sa_spi= 0xE1DAEAC0(3789220544), 

    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2213,

  (identity) local= 192.250.3.2, remote= 192.232.1.25, 

    local_proxy= 192.250.3.0/255.255.255.248/0/0 (type=4), 

    remote_proxy= 192.232.1.24/255.255.255.248/0/0 (type=4)

Related Documents

•IPSec Overview: http://www.cisco.com/warp/customer/cc/techno/protocol/ipsecur/prodlit/ipsec_ov.htm

•IPSec White Paper: http://www.cisco.com/warp/customer/cc/techno/protocol/ipsecur/ipsec/tech/ipsec_wp.htm

•Securing L2TP Using IPSec: http://search.ietf.org/internet-drafts/draft-ietf-l2tpext-security-01.txt

•Configuring IPSec Network Security: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt4/scdipsec.htm

•IPSec Network Security Commands: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_r/srprt4/srdipsec.htm

•Configuring Internet Key Exchange Security Protocol: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt4/scdike.htm

•Internet Key Exchange Security Protocol Commands: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_r/srprt4/srdike.htm

•L2TP over IPSec configurations for IPSec between the LAC and LNS: http://www.cisco.com/warp/public/707/24.html