IPSec stands for IP Security
What is IPSEC?
IPSec stands for IP Security and the standard definition of IPSEC is--
“A security protocol in the network layer will be developed to provide cryptographic security services that will flexibly support combinations of authentication, integrity, access control, and confidentiality” (IETF)
It is a standard for privacy, integrity and authenticity.
IPSEC Protocol Architecture
IPSEC is a combination of three primary protocols
- ESP(protocol 50),
- AH(protocol 51)
- IKE(UDP 500)
Authentication: Authentication Header (AH) and Encapsulating Security Payload (ESP)
Integrity: Encapsulating Security Payload (ESP)
Confidentiality: Encapsulating Security Payload (ESP)
Bringing it all together: Internet key Exchange (IKE)
IPSEC is implemented in the following five stages:
Decision to use IPSEC between two end points across internet
Configuration of the two gateways between the end points to support IPSEC
Initiation of an IPSEC tunnel between the two gateways due to ‘interesting traffic’
Negotiation of IPSEC/IKE parameters between the two gateways
Passage of encrypted traffic
IPSec Troubleshooting Steps
· Check for interesting traffic to initiate tunnel, check crypto ACLs for hit counts
– If not, verify Routing (static or RRI)
· Verify if IKE SA is up (QM_Idle) for that peer
– If not, verify for matching Pre-shared keys
– Verify that the IKE policies (encr, auth, DH) are matching
– Verify for matching IKE Identities
· Verify if IPSec SAs are up (Inbound and Outbound SPIs)
– If not, verify for matching IPSec transform sets
– Verify for mirrored crypto ACLs on each side
– Verify that the Crypto Map is applied on the right interface
·
· 
·
· Turn on IKE/IPSec debugs
IPSec Show Commands
· To show IKE SA information:
– show crypto isakmp sa [detail]
– show crypto isakmp peer
· To show IPSec SA information:
– show crypto ipsec sa [ address | detail | interface | map | per | vrf ]
· To show IKE and IPSec information together :
– show crypto session [ fvrf | group | ivrf ] username | detail ]
– show crypto engine connection active
Cisco IOS IPSec Debugging
· These are the current IKE/IPSec debugs available; the highlighted ones are the most useful typically
· Make sure to use Crypto Conditional Debugs when trying to troubleshoot production routers
debug crypto isakmp
debug crypto isakmp error
debug crypto isakmp ha
debug crypto ipsec
debug crypto ipsec error
debug crypto routing
debug crypto ha
debug crypto engine error
debug crypto engine packet
Crypto Conditional Debugging
We can use crypto conditional debugging when we are troubleshooting live networks and specially where there are multiple tunnels running on the device.
· The crypto conditional debug CLIs—debug crypto condition, debug crypto condition unmatched, and show crypto debug-condition— allow you to specify conditions (filter values) in which to generate and display debug messages related only to the specified conditions
· The router will perform conditional debugging only after at least one of the global crypto debug commands—debug crypto isakmp, debug crypto ipsec, or debug crypto engine—has been enabled; thi s requirement helps to ensure that the performance of the router will not be impacted when conditional debugging is not being used
· To enable crypto conditional debugging:
– debug crypto condition
– debug crypto { isakmp | ipsec | engine }
· To view crypto condition debugs that have been enabled:
– show crypto debug-condition [ all | peer | fvrf | ivrf | isakmp | username | connid | spi ]
· To disable crypto condition debugs:
– debug crypto condition reset
0 Response to "IPSec stands for IP Security "
Post a Comment