Pages

Sunday 6 May 2012

IPSEC Common Issues


IPSEC Common Issues

· NAT with IPSec
· Firewalling and IPSec
· MTU Issues
· Loss of Connectivity of IPSec Peers
· Routing
· Interoperability Troubleshooting

Bypassing NAT Entries in ASA

NAT in the Middle of an IPSec Tunnel

Firewall in the Middle

IPSec MTU Issue






Other Issues – Errors
· IKE Policy mismatch
· Pre-shared key mismatch
· Access-list mismatch
· IPSec policy mismatch
· IKE Pool misconfigured
· IPSec peer misconfigured
· Additional Considerations


IKE Policy mismatch :-
If there is a mismatch or if there are no common ISAKMP policies then the following error will be seen.The solution is to configure a common ISAKMP policy on both peers.
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): no offers accepted!
ISAKMP (0): SA not acceptable!


Pre-shared key mismatch :-
If the pre-shared keys on both the peers do not match then the following error will be seen.
1d00H:%CRPTO-4-IKMP_BAD_MESSAGE: IKE message from 172.16.172.34 failed its sanity check or is malformed
which will result in :
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at172.16.172.34
Access-list mismatch :-
If the access-lists on the peer IPSEC devices do not match that is if they are not mirror images of each other then the following error will occur :
IPSEC(validate_transform_proposal): proxy identities not supported
ISAKMP: IPSec policy invalidated proposal
It is also important to note that the word “any” should not be used in the access-list .
IPSec policy mismatch :-
If the IPSEC transform-set policies do not match , then the following error will be seen. Both the peer should have identical IPSEC transform-set policies.
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5 IPSEC(validate_proposal): transform propos al (prot 3, trans 2, hmac_alg 1) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
IKE Pool misconfigured :-
If the PIX is configured for IKE mode-config and the pool is misconfigured then the following error will be seen:
IPSEC(key_engine_delete_sas): delete all SAs shared with 171.69.89.116
return status is IKMP_NO_ERR_NO_TRANS04101: ISAKMP: Failed to allocate address for client from pool
ISADB: reaper checking SA 0x80e02638, conn_id = 0 DELETE IT!
IPSec peer misconfigured :-
If the IPSEC peer is misconfigured under the crypto map , then the following error message will be seen
1d00h: ISAKMP: No cert, and no keys (public or pre-shared) with remote peer 172.167.172.33
1d00h: ISAKMP (0:1): purging SA


Additional Considerations - Split tunneling
We need to use “split tunneling” when using the Unity client if we want to simultaneously have a IPSEC tunnel to the PIX and also INTERNET connection.
vpngroup vpn3000 split-tunnel 160
access-list 160 permit ip 192.168.2.0 255.255.255.0 30.1.1.0 55.255.255.0
Here the IPSEC tunnel will be only established between the source destination specified by the access-list.
Additional Considerations IPSec Multiple peers
If there are multiple peers to a PIX , make sure that the match address access-lists for each of the peers are mutually exclusive from the match address access list for the other peers
If this is not done, the PIX will choose the wrong crypto map to try and establish a tunnel with one of the peers


Additional Considerations
IPSec from behind low-end firewalls
Issues
With IPSec/ESP or IPSec/UDP, two VPN users to SAME IPSec VPN server
– 2nd user may be disallowed
2nd user may cause disconnection of 1st user
Solutions
Multiples ISAKMP sessions
Vary source port [NOT UDP 500] and keep track
Based on SPI [Keep UDP 500/500]
Additional Considerations
DES - 3DES issue
When using SSH, if the pix has only DES key enabled
and SSH client is 3DES then the following error will occur
pix520-1(config)# 315011: SSH session from 171.69.89.116 on interface outside for user "" disconnected by SSH server, reason: "Invalid cipher type" (0x06)315011: SSH session from 171.69.89.116 on interface outside for user "" disconnected by SSH server, reason: "Invalid cipher type" (0x06)
We can also use the “ sh ssh sessions” to view the current ssh connections

IPSec and Path MTU Discovery

How to manually determine Path MTU

Ping from client PC:
    •     ping www.cisco.com -l 1400 -f
    •     Pinging www.cisco.com [198.133.219.25] with 1400 bytes of data:
    •     Reply from 198.133.219.25: bytes=1400 time=168ms TTL=120    
    •     ping www.cisco.com -l 1500 -f
    •     Pinging www.cisco.com [198.133.219.25] with 1500 bytes of data:
    •     Packet needs to be fragmented but DF set.
Ping from the router:
    •   sv3-6#ping ip
    •   Target IP address: 198.133.219.25
    •     Repeat count [5]: 1
    •   Datagram size [100]: 1400
    •   Extended commands [n]: y
    •   Source address or interface: FastEthernet0/0
    •   Set DF bit in IP header? [no]: yes
    •   Sweep min size [36]: 1400
    •   Sweep max size [18024]: 1500
    •   Sweep interval [1]: 10
    •    !!!!......
MTU Issues Work Around:  Adjusting IP MTU & TCP MSS
ASA/PIX:      mtu outside 1492
                        sysopt connection tcpmss 1392
IP Fragmentation and PMTUD
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
Adjusting IP MTU, TCP MSS, and PMTUD on Windows and Sun Systems
http://www.cisco.com/en/US/tech/tk870/tk877/tk880/technologies_tech_note09186a008011a218.shtml

Loss of Connectivity of IPSec Peers


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)