Showing posts with label VPN. Show all posts
Showing posts with label VPN. Show all posts

Monday, September 11, 2017

Cisco Router IKEv2 IPSec VPN Configuration

What is Differences between IKEv1 and IKE v2?
1. Different negotiation processes
− IKEv1
  • IKEv1 SA negotiation consists of two phases.
  • IKEv1 phase 1 negotiation aims to establish the IKE SA. This process supports the main mode and aggressive mode. Main mode uses six ISAKMP messages to establish the IKE SA, but aggressive mode uses only three. Therefore, aggressive mode is faster in IKE SA establishment. However, aggressive mode does not provide the Peer Identity Protection.
  • IKEv1 phase 2 negotiation aims to set up the IPSec SA for data transmission. This process uses the fast exchange mode (3 ISAKMP messages) to complete the negotiation.
− IKEv2
  • Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2 uses two exchanges (a total of 4 messages) to create an IKE SA and a pair of IPSec SAs. To create multiple pairs of IPSec SAs, only one additional exchange is needed for each additional pair of SAs.

Tuesday, September 5, 2017

Troubleshooting Cisco IPSec Site to Site VPN - "QM Rejected"

There was a VPN issue to troubleshoot recently. It was between Juniper SRX and Cisco Router. It seems straightforward but it took quite a long time to troubleshoot because of communication. All steps listed here for my future reference.

Some other related posts:


1. Enabled Debugging on Cisco IOS Router

vpn-R1#debug crypto ipsec
Crypto IPSEC debugging is on

vpn-R1#debug crypto isakmp
Crypto ISAKMP debugging is on

vpn-R1#debug crypto engine
Crypto Engine debugging is on

vpn-R1#terminal monitor

Wednesday, February 22, 2017

Renew Cisco IOS IPSec VPN Certificates from Symantec

I am not sure if there is other better way to do it. There is no good documentation from Cisco or somewhere else regarding how you should do on renewing your ssl certificates once it is expired. Every a couple of years, I have to face this problem,  renewing all routers ssl certificates. As far as I know, you can not renew current existing certificates, you will have to created a new trustpoint , generate new CSR and import a renewed certificate. Actually you can use same trustpoint configuration configured before as long as you are using different trustpoint name.

I recorded those steps again which I did a couple of years ago in following posts:

Thursday, August 4, 2016

Cisco Configuration Professional (CCP) Configure IOS SSL VPN (AnyConnect SSL VPN)

Basic Cisco Configuration Professional (CCP) configuration has been posted before at following link:
This Post will demonstrate how to use CCP to configure SSL VPN on an IOS Router.

1. Confirm SSL-VPN License Installed

You can review another post regarding how to add Cisco license into a router.

Wednesday, April 27, 2016

Monday, February 22, 2016

Cisco ASA Remote Access VPN Configuration 2 - AnyConnect VPN

Basic Cisco AnyConnect full-tunnel SSL VPN uses user authentication by username and password, provides IP address assignment to the client, and uses a basic access control policy. The client also authenticates the ASA with identity certificate-based authentication. Deployment tasks in this post are as follows:
  • Configure the basic ASA SSL VPN gateway features.
  • Configure local user authentication.
  • Configure IPv4/IPv6 address assignment.
  • Configure basic access control.
  • Install the Cisco AnyConnect Secure Mobility Client.
Initially, AnyConnect was an SSL-only VPN client. Starting with Version 3.0, AnyConnect became a modular client with additional features (including IPsec IKEv2 VPN terminations on Cisco ASA), but it requires a minimum of ASA 8.4(1) and ASDM 6.4(1).

Related posts in this blog:
1. Topology

In this post, Cisco Adaptive Security Appliance Software Version 9.1(2) and Device Manager Version 7.1(3) have been used as an example.

DMZ (Security Level 50) interface will be used to simulate external connection to Internet.
INTERNAL (Security Level 100) interface is connecting to local network.

Friday, February 19, 2016

Cisco ASA Remote Access VPN Configuration 1 - Clientless SSL VPN

Remote access VPNs let single users connect to a central site through a secure connection over a TCP/IP network such as the Internet. Unlike other common VPN client solutions, the Clientless SSL VPN does not require that a client download and install a VPN client, all communications to the central location (where the ASA is located) are done via Secure Socket Layer (SSL) or its successor, Transport Layer Security (TLS).

This post describes how to build a remote access VPN connection using Clientless SSL VPN feature.
Related posts in this blog:

1. Topology

Monday, January 11, 2016

Cisco IKEv1 Site-to-Site IPSec Configuration on IOS Routers (1) - High Availability IPSec

IPsec is a framework of open standards that provides data confidentiality, data integrity, and data authentication among participating peers. It provides these security services at the IP layer; it uses Internetwork Key Exchange (IKE) to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPsec. You can use IPsec to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

“IKE,” which stands for “Internet Key Exchange,” is a protocol that belongs to the IPsec protocols suite. Its responsibility is in setting up security associations that allow two parties to send data securely. IKE was introduced in 1998 and was later superseded by version 2 roughly 7 years later.

This post summarizes typical Cisco IOS IPSec VPN IKEv1 set up. It includes standalone or High Availability implementation. The next post will includes how to use different CA to authenticate IKE.  It focus on IKEv1 (Internet Key Exchange version 1). Later IKEv2 will be summarized in this blog.

Typical Topology:
R1: G0/0 - (It is VIP in high availability deployment)
R2: G0/0 -

R1: G0/1 - Internal Interface for network 192.168.20.x/24
R2: G0/1 - Internal Interface for network 172.21.91.x/24

Saturday, January 9, 2016

Using Symantec SSL PKI to Authenticate Cisco IOS IPSec VPN - HA Deployment

Digital certificates as an authentication method for IPSec VPNs is becoming increasingly popular for both remote access and site-to-site deployments. The use of digital certificates requires some form of PKI infrastructure such as a CA server. In this post, Symantec public CA will be used as an example to authenticate certificates used between two IPSec VPN gateways. There are some other posts in this blog relating to this topics, please check them using following list:

This post is mainly used to document the steps how to built a Third Party Based Certificates IPSec VPN, including how to submit gateway's CSR to Symantec and get your certs signed by Symantec CA and how to install those signed certs on your gateways. The first 8 steps are same for both for standalone deployment and high availability implementation. Only difference will be at step 9 for only used in high availability configuration.

Wednesday, January 6, 2016

Cisco IKEv1 Site-to-Site IPSec Configuration on IOS Routers (2) - Using Two Different CA Certificates

Pre-shared keys and digital certificates are two primary authentication methods in IKE that can be used in the context of IPSec VPN deployments.

Digital certificates provide a means to digitally authenticate devices and individual users. An individual that wishes to send encrypted data obtains a digital certificate from a Certificate Authority (CA). The CA issues an encrypted digital certificate containing the applicant's public key and a variety of other identification information. The CA makes its own public key readily available. The recipient of the encrypted message uses the CA's public key to decode the digital certificate attached to the message, verifies it as issued by the CA, and then obtains the sender's public key and identification information held within the certificate. With this information, the recipient can send an encrypted reply. Public key infrastructure (PKI) is the enabler for managing digital certificates for IPSec VPN deployment. The most widely used format for digital certificates is X.509, which is supported by Cisco IOS.

Saturday, August 15, 2015

Policy Based IPSec VPN Configuration Between SRX Firewalls

Juniper SRX support both Route-based and Policy-based VPN, which can be used in different scenarios based on your environments and requirements. 

Difference between them (KB15745)

With policy-based VPN tunnels, a tunnel is treated as an object that together with source, destination, application, and action, comprises a tunnel policy that permits VPN traffic. In a policy-based VPN configuration, a tunnel policy specifically references a VPN tunnel by name.

With route-based VPNs, a policy does not specifically reference a VPN tunnel. Instead, the policy references a destination address. When the security device does a route lookup to find the interface through which it must send traffic to reach that address, it finds a route via a secure tunnel (ST) interface, which is bound to a specific VPN tunnel.

Thus, with a policy-based VPN tunnel, you can consider a tunnel as an element in the construction of a policy. With a route-based VPN tunnel, you can consider a tunnel as a means for delivering traffic, and the policy as a method for either permitting or denying the delivery of that traffic.

Friday, January 16, 2015

Using PKI Build Route-Based IPSec VPN between Juniper SRX

There was a task to change IPSec authentication method from Pre-share key to PKI Certification based. It used on SRX240H and SRX1400 firewalls. This post records the steps and troubleshooting the errors I met during the configuration.

1. On both firewalls generate Public/Private key pair:

{primary:node0}root@fw-1> request security pki generate-key-pair certificate-id PRO size 2048   
Generated key pair PRO, key size 2048 bits

2. Generating cert request from the key pair

{primary:node0}root@fw-1> request security pki generate-certificate-request certificate-id PRO subject "CN=Admin,,OU=IT,O=test,L=M,ST=ON,C=CA" email filename ms-cert-req 
--------------------------------------------------------------------------Generated certificate request
----- BEGIN CERTIFICATE REQUEST-----MIIC7TCCAdUCAQAwdjERMA8GA1UEAxMISm9obiBZYWxGjAYBgNVBAMTEW1hcmtYW0uZ2ktZGUuY29tMQswCQYDVQQLEwJJVDEMMAoGA1UEChMDRyZEwDgYDVQQEwdNYXJraGFtMQswCQYDVQQIEwJPTjELMAkGA1UEBhMC0EwggEiMA0GCSqGSIbDQEBAQUAA4IBDwAwggEKAoIBAQDEoahBD7RjFBZacquplzFudJ3k+jf1EBcCxxkdDWJVeZEDzFMN6kQbMPKFBvSHhSZU/o+AnkqOzQgTh9Uy/ttdc3r23ZWFu1t/9B79kvoRdxCt43iYHNtTyKk4xN1/Nd2XJ1qV6iXB0OAYAQWnKYsNAz5rY9SRnH5/VU90WRvu5s/wXu+9GEoysI1sjm91Qq1FM5HDtH9ROxDzbtEb8hJ2SmfY/VPctlSI/Ql3ZRyxCexOG2Q93hvhMRKbCNLxj1muSHbnveQI3gM+4nT9PmslUEB3dx5389LH5viCio01039LEWjfydd4HsAdsgD5ZXtihn49BPZNfCIYyDAgMBAAGgMjAwBgkhkiG9w0BCQ4xIzAhMB8GA1UdEQQYMBaBFCJqb2huLnlhbkBnaS1kZS5jb20iMA0CSqGSIb3DQEBBQUAA4IBAQAoRv0I1C5kklU2sRDGB4XCVnnJ/T34+Yn4ekIcGHADuB5kKbr+qc1xTVyelX09EqmGtCrREYSv/meseuco0+jMw9b9EogCfE7eZAw2EWltzA+NTjwcOexvTFYWhjD3YWPXwM/F/rKnS9vtCaaNJB+rpzjyjbJNRSPvFkYgRUsy3xnIJ7K76Jp03r5rD27KW2kaCCD2wXkr6vK97Nf+dgyM8sLBLy1FdUfeO2H5JnhxbodUD6FFGz50s8rqy2a4aUOCD1zCgOiMw/mjq3caFbS+WB2sb+09Kia19y9y2fOzG++v2Kud5luXYKMPuf4qEGSb6k1npNd8qadQf+
Fingerprint:c7:dd:83:11:d1:8a:54:6c:5c:1e:7e:cd:79:73:c0:71:b0:ba:a5:fc (sha1)f6:10:e3:1f:c0:07:3e:dc:5c:e5:8e:b5:51:2b:9a:1e (md5)

3. Submit Cert Request to the CA and Retrieve Certs

Monday, December 15, 2014

Certificate Import Failed with "% Failed to parse or verify imported certificate" because of Verisign Using new Intermediate CA Certs G4


Worked on IPSec VPN Certificate for whole morning to try to import a certificate, finally gave up to ask support from Verisign. I did this many times and had detailed documentation recorded for steps. But this time, situation is different. 

My previous post clearly shows all steps I have to follow:
Unfortunately, this time the process stuck at the step 6 with error "% Failed to parse or verify imported certificate"

m-dmz(config)#crypto pki import VerisignCA1 certificate 

Friday, December 12, 2014

Certification based Cisco IPSec VPN Down Caused by 'signature invalid'


Recently, I were troubleshooting a IPSec VPN using Certificate issue. One IPSec VPN router got rebooted then IPSec tunnel was not able to be re-build. It tested fine with pre-share key. But when change back to certificate, ISAKMP authentication failure with 'signature invalid' error.

Saturday, August 2, 2014

Tuesday, July 29, 2014

CISCO ASA VPN Troubleshooting Tips

1. Clear VPN Configuration: 

clear configure crypto map VPN_AAAA

2. Debug and show commands:

Enable logging:

ciscoasa#terminal monitor
ciscoasa(config)# logging buffer-size 1048576
ciscoasa(config)# logging buffered 7
ciscoasa(config)# logging monitor 7
ciscoasa(config)# debug crypto condition peer
ciscoasa(config)# debug crypto ipsec 127

The debug icmp trace command is used to capture the ICMP traffic of the user.

ciscoasa#debug icmp trace


!--- Output is suppressed.

ICMP echo request from to ID=512 seq=5120 len=32
ICMP echo reply from to ID=512 seq=5120 len=32

!--- The user IP address is

The user pings the inside interface of the ASA (ping This output is displayed on the console.

In order to disable debug icmp trace, use one of these commands:

no debug icmp trace

undebug icmp trace

undebug all, Undebug all, or un all

Each of these three options helps the administrator to determine the source IP address. In this example, the source IP address of the user is The administrator is ready to learn more about application X and determine the cause of the problem.

To see ISAKMP configuration use show run crypto isakmp
To see IPSec configuration  use show run crypto ipsec
To see crypto map configuration use show run crypto map
To see IPsec operational data use show crypto ipsec sa
To see ISAKMP operational data use show crypto isakmp sa

To debug isakmp use debug crypto isakmp
To debug ipsec use debug crypto ipsec

To manually tear down an ISAKMP or IPSEC SA:
clear crypto ipsec
clear crypto isakmp

To clear IPsec SA counters use Clear crypto ipsec sa counters
To clear IPsec SAs by entry use Clear IPsec SAs entry ipaddress
To clear IPsec SAs by map use Clear IPsec SAs map cryptomap_name
To clear IPsec SA by peer use Clear IPsec SA peer ipaddress
To clear ISAKMP SA by ipaddress use Clear crypto Isakmp SA ipaddress

3. Recover Pre-Shared Key in Pix/ASA: 

more system:running-config

4. Use a capture to confirm IPSec packets hit the firewall:

The administrator needs to create an access-list that defines what traffic the ASA needs to capture. After the access-list is defined, the capture command incorporates the access-list and applies it to an interface.

ciscoasa(config)#access-list inside_test permit icmp any host
ciscoasa(config)#capture inside_interface access-list inside_test interface inside
The user pings the inside interface of the ASA (ping This output is displayed.

ciscoasa#show capture inside_interface
   1: 13:04:06.284897 > icmp: echo request

!--- The user IP address is

Note: In order to download the capture file to a system such as ethereal, you can do it as this output shows.

!--- Open an Internet Explorer and browse with this https link format:

https://[<pix_ip>/<asa_ip>]/capture/<capture name>/pcap
Refer to ASA/PIX: Packet Capturing using CLI and ASDM Configuration Example in order to know more about Packet Capturing in ASA.

Turn off the packet capture and remove the ACL:

ASA(config)#no capture inside_interface
ASA(config)#clear configure access-list inside_test

You can clear the capture log by using this command:
ASA#clear capture inside_interface

You can also use the pipe functionality when viewing the capture output:
ASA#show capture inside_interface | inc

To confirm that the IPSEC packets are reaching the firewall, a capture can be created for all UDP 500 traffic.
First create an access-list for the traffic you would like to capture.
Access-list capture1 permit udp any any eq 500

Next create a capture.
Capture cap1 access-list capture1 interface outside

Next display the results of the capture.
Show capture cap1 detail
1: 13:04:06.284897 > UDP:500

Or view capture on web

5. Syslog

Make sure logging is enabled. The logging level needs to be set to debug. Logging can be sent to various locations. This example uses the ASA log buffer. You might need an external logging server in production environments.

ciscoasa(config)#logging enable
ciscoasa(config)#logging buffered debugging
The user pings the inside interface of the ASA (ping This output is displayed.

ciscoasa#show logging

!--- Output is suppressed.

%ASA-6-302020: Built ICMP connection for faddr
gaddr laddr
%ASA-6-302021: Teardown ICMP connection for faddr
gaddr laddr

!--- The user IP address is

6. 'ping -f' command troubleshooting MTU size over IPSEC VPN

The -f flag from a Windows command prompt prevents an ICMP packet from being fragmented. This, combined with the -l flag allows you to set the size of the ICMP packet being sent.

So, assuming a standard ethernet MTU of 1500, and accounting for an 8-byte ICMP header, and 20-byte IP header, I should be able to send an ICMP packet sized to 1472 bytes, but 1473 should be too large:
C:\Users\netcanuck>ping -f -l 1472

Pinging with 1472 bytes of data:
Reply from bytes=1472 time=3ms TTL=251
Reply from bytes=1472 time=4ms TTL=251
Reply from bytes=1472 time=4ms TTL=251
Reply from bytes=1472 time=3ms TTL=251

C:\Users\netcanuck>ping -f -l 1473

Pinging with 1473 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

7. Other ASA troubleshooting Commands

Please refer to this post.