Depending on their size and configuration, IPsec VPNs can be relatively easy to design and deploy, even if you are not all that knowledgeable about how IPsec actually works. But, if you don't understand how IPsec works and you don't apply a good troubleshooting methodology, then when your IPsec VPN breaks or doesn't work in the first place, you'll probably have to resort to what I call ‘stab-in-the-dark' (SITD) troubleshooting.
SITD troubleshooting is random, time consuming, and will often not resolve your problem at all- it might even exacerbate it. So, in order to help you save some time and frustration, I thought I'd write a short series of blog posts that will help you fix broken IPsec VPNs in an expedited manner using a step-by-step, easy to understand process.
Before actually jumping into a description of the IPsec troubleshooting process, it is (as previously mentioned) very important to understand how IPsec VPNs work. In this blog post I quickly review some of the major components, before moving on to the actual troubleshooting methodology next time. I'll start with site-to-site IPsec VPNs, and then discuss remote access IPsec VPNs in a later blog post.
In a site-to-site VPN, IPsec tunnels are built between an organization's sites, and all traffic is authenticated and/or encrypted as it passes over the intervening network.
IPsec consists of a number of elements, including the following:
AH is a packet header that provides connectionless integrity, data origin authentication, and optional replay protection. ESP is a packet header that provides connectionless integrity, data origin authentication, optional replay protection, data confidentiality, and limited traffic flow confidentiality (available only in tunnel mode).
The SPD specifies traffic that should be protected by IPsec and traffic that should bypass IPsec. The SPD is consulted for all inbound and outbound traffic.
The SAD or SADB contains an entry containing information related to each IPsec SA and interfaces to the SPD to ensure correct IPsec packet processing.
The PAD provides a link between the Internet Key Exchange (IKE) protocol and the SPD. The PAD specifies the range of identities (for example, IP addresses) for which the IPsec device is authorized to negotiate IPsec SAs with a peer; it also specifies how to authenticate a peer
One way of managing IPsec SAs and keys is to manually configure SAs and keying material on IPsec peers. Manual configuration of IPsec SAs and keying material is analogous to the configuration of static routes (though much more involved), and just like the configuration of static routes, the manual configuration of IPsec SAs and keying material is not scalable
The IKE protocol allows IPsec peers to dynamically authenticate each other, generate keying material, and negotiate IPsec SAs.
There are two versions of IKE: IKE Version 1 (IKEv1) and IKE Version 2 (IKEv2). IKEv1 is made up of elements of a number of protocols including SKEME, the Oakley Key Determination Protocoll, and the Internet Security Association and Key Management Protocol (ISAKMP).
IKEv1 negotiation is divided into two phases and three modes. In phase 1, IPsec peers establish an IKE SA. This IKE SA is used to protect phase 2 negotiations, which are then used to negotiate IPsec SAs.
IKEv1 phase 1 can be negotiated using main mode (typical for site-to-site VPNs) or aggressive mode. IKEv1 phase 2, on the other hand, is negotiated using quick mode. It is worth noting that the IKE SA negotiated during phase 1 is bidirectional, but IPsec SAs negotiated during phase 2 are unidirectional.
During IKE phase 1 main mode negotiation, the two IPsec peers exchange three pairs of messages, giving a total of six messages. The function of these messages is as follows:
The Diffie-Hellman exchange allows the IPsec peers to agree a shared secret key. The nonce values are used as keying material in the calculation of session keys on the IPsec peers.
The IPsec peers now generate the first of four session keys called SKEYID. A further three session keys (SKEYID_d, SKEYID_a, and SKEYID_e) are then calculated using SKEYID. IKE phase 2 keys are derived from SKEYID_d. IPsec peers authenticate and encrypt remaining IKE phase 1 and phase 2 messages that they send to each other using SKEYID_a and SKEYID_e.
Phase 1 is now complete, and an IKE SA has been established between the IPsec peers.
The figure below illustrates IKE phase 1 (main mode) negotiation:
When IKE phase 1 negotiation is complete, phase 2 can begin. The purpose of IKE phase 2 negotiation is to established IPsec SAs. These IPsec SAs are then used to protect user traffic as it transits the intervening network between the IPsec peers.
IKE phase 2 negotiation consists of three messages:
Once phase 2 is complete, your IPsec VPN should be able to transport traffic between your sites. That's assuming everything goes to plan!
The next figure shows IKE Phase 2 (Quick Mode) negotiation:
Next time, I'll describe a methodology for troubleshooting IPsec VPNs in a fast and efficient manner.
Mark.
Mark Lewis (CCIE#6280) is an independent consultant who helps service provider and large enterprise clients design and implement leading-edge technologies. Over the last couple of years, Mark has designed and implemented a variety of large-scale technology solutions including VPN, MPLS, QoS, data center, and IP telephony. Mark is the author of three books for Cisco Press: Comparing, Designing, and Deploying VPNs, Troubleshooting Virtual Private Networks, and CCIE Voice Exam Quick Reference Sheets.
The Leader in Network Knowledge
