Chapter 4: Common IPsec VPN Issues

	Excerpt from IPsec Virtual Private Network Fundamentals.
By James Henry Carmouche Published by Cisco Press ISBN-10: 1-58705-207-5 ISBN-13: 978-1-58705-207-1

More Cisco Press book chapters from new and classic Cisco Press books.

Rate your favorite Cisco Press books.

In this chapter, we will discuss several areas of IPsec virtual private network (VPN) design that commonly present obstacles to successful deployment. We will begin our discussion with a brief overview of the diagnostic tools available within IOS commonly used to diagnose and correct issues with IPsec VPN deployments. After presenting the tools needed to troubleshoot IPsec, we will begin to explore two broad categories of common IPsec VPN issues: configuration and architecture. The IPsec VPN configuration issues we will explore in this chapter include:

• IKE SA Proposal Mismatches

• IKE Authentication Failures

• IPsec SA Proposal Mismatches

• Crypto ACL Mismatches

Unlike configuration issues, architectural issues do not require a misconfiguration by the administrator. Architectural issues are often introduced by incompatibilities between IPsec and other networking technologies. The architectural IPsec VPN issues we will discuss in this chapter include:

• IPsec in Firewalled Environments

• IPsec in NAT Environments

• IPsec and Quality of Service

• IPsec and Fragmentation

• IPsec and Recursive Routing

IPsec Diagnostic Tools within Cisco IOS

The most commonly used categories of diagnostic tools used within Cisco IOS are show and debug commands. Throughout the course of this chapter, we will use variations of these two command sets to diagnose issues commonly found within Cisco IOS. As we've discussed, there are detailed steps that occur during the formation of Internet Security Association and Key Management Protocol (ISAKMP) and IPsec negotiation between two IPsec VPN endpoints. We will examine common errors in these steps through execution of the following debugging commands within IOS:

• debug crypto isakmp

• debug crypto IPsec

Additionally, we will explore several show commands necessary to uncover common errors and performance issues related to the negotiate of IPsec VPN tunnels, including fragmentation/maximum transmission unit (MTU) issues, quality of service (QoS) issues, Network Address Translation (NAT) issues, and issues relating to recursive routing. A subset of the commands we will discuss to address these issues includes:

• show crypto isakmp sa

• show crypto isakmp sa nat

• show crypto IPsec sa

• show crypto engine connections active

• show crypto engine connections dropped-packet

• show crypto engine connections flow

• show crypto engine qos

Common Configuration Issues with IPsec VPNs

There are many parameters and features to understand when deploying IPsec VPNs. In this section, we will discuss configuration issues presented when one or more IPsec VPN gateways are configured incorrectly. After discussing the nature of each of the above commonly experienced IPsec VPN configuration issues, we will discuss the methods used to effectively diagnose and remedy these issues.

IKE SA Proposal Mismatches

Unless IPsec session keys are manually defined, two crypto endpoints must agree upon an ISAKMP policy to use when negotiating the secure Internet Key Exchange (IKE) channel, or ISAKMP security association (SA). As such, when two VPN endpoints fail to agree upon a usable ISAKMP policy, IPsec SA negotiation cannot initiate, and traffic will continue to flow unencrypted.

Figure 2-24 and Figure 2-25 provide a brief description of ISAKMP policy negotiation process in main mode and aggressive mode respectively and the involved configuration on two VPN endpoints. Also remember from our discussions in Chapter 2 that ISAKMP policies are listed in order of priority (the lower number being the highest priority). The initiator will offer the highest priority proposal, and the responder will search its locally configured ISAKMP policies for a match. If there are none, the initiator will propose the next highest ISAKMP policy and define its local configuration. This process will continue until the initiator has no proposals left to offer the responder. The result, in this case, would be an ISAKMP SA proposal mismatch. Using the configurations provided in Example 4-1 and Example 4-2, Router_A and Router_B will attempt to form an IKE SA between one another using the topology illustrated in Figure 4-1.

Figure 4-1
ISAKMP SA Negotiation Resulting in ISAKMP Proposal Mismatch

Example 4-1 provides the ISAKMP policies configured for Router_A in Figure 4-1. Note that, in this configuration, there are no ISAKMP proposals configured that match those configured on Router_B in Example 4-2.

Example 4-1 Crypto ISAKMP Policy Definition for Router_A in Figure 4-1 (Mismatch with Router_B, Example 4-2)

Router_A#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
    encryption algorithm:  Three key triple DES
    hash algorithm:     Message Digest 5
    authentication method: Pre-Shared Key
    Diffie-Hellman group:  #2 (1024 bit)
    lifetime:        86400 seconds, no volume limit
Protection suite of priority 20
    encryption algorithm:  DES - Data Encryption Standard (56 bit keys).
    hash algorithm:     Secure Hash Standard
    authentication method: Pre-Shared Key
    Diffie-Hellman group:  #2 (1024 bit)
    lifetime:        86400 seconds, no volume limit
Protection suite of priority 30
    encryption algorithm:  AES - Advanced Encryption Standard (128 bit keys).
    hash algorithm:     Secure Hash Standard
    authentication method: Rivest-Shamir-Adleman Signature
    Diffie-Hellman group:  #1 (768 bit)
    lifetime:        86400 seconds, no volume limit
Default protection suite
    encryption algorithm:  DES - Data Encryption Standard (56 bit keys).
    hash algorithm:     Secure Hash Standard
    authentication method: Rivest-Shamir-Adleman Signature
    Diffie-Hellman group:  #1 (768 bit)
    lifetime:        86400 seconds, no volume limit

Example 4-2 provides the ISAKMP policy configuration on Router_B of Figure 4-1. Router_B will use this policy when building an ISAKMP SA to Router_A, whose ISAKMP policy is provided in Example 4-1. Because Router_B's ISAKMP configuration contains no matching proposals with Router_A's configuration provided in Example 4-1, ISAKMP negotiation will fail.

Example 4-2 Crypto ISAKMP Policy Definition for Router_B in Figure 4-1 (Mismatch with Router_B, Example 4-1)

Router_B#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
    encryption algorithm:  AES - Advanced Encryption Standard (128 bit keys).
    hash algorithm:     Message Digest 5
    authentication method: Pre-Shared Key
    Diffie-Hellman group:  #5 (1536 bit)
    lifetime:        86400 seconds, no volume limit
Protection suite of priority 20
    encryption algorithm:  Three key triple DES
    hash algorithm:     Message Digest 5
    authentication method: Rivest-Shamir-Adleman Signature
    Diffie-Hellman group:  #1 (768 bit)
    lifetime:        86400 seconds, no volume limit
Protection suite of priority 30
    encryption algorithm:  DES - Data Encryption Standard (56 bit keys).
    hash algorithm:     Secure Hash Standard
    authentication method: Pre-Shared Key
    Diffie-Hellman group:  #2 (1024 bit)
    lifetime:        86400 seconds, no volume limit
Default protection suite
    encryption algorithm:  DES - Data Encryption Standard (56 bit keys).
    hash algorithm:     Secure Hash Standard
    authentication method: Rivest-Shamir-Adleman Signature
    Diffie-Hellman group:  #1 (768 bit)
    lifetime:        86400 seconds, no volume limit