VYATTA - The Easy Tutorial - Case Study 8

Vyatta Case 8 - IPSec
Last Change : Dec 07 2010

Tool
Install
Ergonomy
Forum

Details What is Vyatta?
Screenshots
Prerequisites
Tutorial Vyatta
Vyatta & Cisco Commands
Vyatta/Cisco/Quagga Comparison (Quagga section)
Case Study 1 - Static routes (VC 2.0)
Case Study 2 - OSPF simple (VC 2.0)
Case Study 3 - OSPF advanced (VC 2.0)
Case Study 4 - BGP (VC 3.0)
Case Study 5 - VRRP (VC 2.2)
Case Study 6 - NAT (VC 2.0)
Case Study 7 - DHCP (VC 2.2)
Case Study 8 - IPSec (VC 2.2)
Case Study 9 - Packages (VC 3.0)
Case Study 10 - Bridging (VC 3.0)
Case Study 11 - CDP VC 3.0

⚠️⚠️⚠️
Please check our website about
attractions in Western Switzerland !! (Please use english translation).

⚠️⚠️⚠️
Merci de consulter notre site sur les
activités à faire en Suisse romande !!

1. CASE PRINCIPLE 2. PICTURE 3. CONFIGURATIONS 4. SHOW COMMANDS

1. CASE PRINCIPLE

Vyatta version used: VC 2.2 Aug 30, 2007
The goal of this tutorial is to create a secured tunnel between a Vyatta and a Cisco router with the IPSec protocol.
IPSec is a set of Layer 3 protocols and is typically used to create Virtual Private Networks (VPN) through unsecured networks such as Internet.
To provide the IPSec functionalities, Vyatta has integrated OpenSwan which is a free and open source tool used to create IPSec tunnels on Linux platforms.

We will limit ourselves to give here some key concepts about IPSec and VPNs.

IPSec:

IPSec can be composed of one or both of the following layer 3 protocols:
ESP (IP protocol 50, RFC 2406) and AH (IP protocol 51, RFC 2402). ESP can be used for integrity and confidentiality and AH for integrity only.

Two protocols are closely linked with IPSec: ISAKMP (RFC 2408) and IKE (RFC 2409). ISAKMP (Internet Security Association and Key Management Protocol) is used to establish security associations and IKE (Internet Key Exchange) for automatic key exchange management via the UDP port 500.

Only pre defined traffic, called interesting traffic, can raise a IPSec tunnel.

VPNs:

To be considered as a VPN, a tunnel must respect the following principles:

- Confidentiality or privacy: The data cannot be seen in a readable format.
- Integrity: The data cannot be altered.
- Authentication: The VPN gateways are sure about the identity of the other.

About the case study:

Loopback (or virtual) addresses have been created on Cisco A and Vyatta Routers. The IPSec tunnel will be opened only when traffic comes from a router loopback address towards the other router loopback address.
See below for details about how to raise the tunnel.

Important notice: Vyatta only supports ESP but not AH.

2. PICTURE

vyatta cisco case study IPSec Functionalities tested:

(click on the web links to have more details about a protocol)

Interface settings
IPSec
IKE

3. CONFIGURATIONS

VYATTA ROUTER VC2.2 Aug 30, 2007
See the entire configuration
CISCO ROUTER A 2621 IOS: 12.2(46a)
See the entire configuration

edit interfaces ethernet eth0
  set address 100.0.0.1 prefix-length 24
interface FastEthernet0/1
  ip address 50.0.0.1 255.255.255.0
  crypto map m1

edit interfaces loopback lo
  set address 10.200.1.1 prefix-length 24 interface Loopback 1
  ip address 10.250.1.1 255.255.255.255

set system host-name Vyatta hostname Cisco-routerA

set service telnet
line vty 0 4
  no login

edit system login user vyatta
  set authentification plaintext-password
   password enable secret password

set vpn ipsec
edit vpn ipsec
  set ipsec-interfaces
  edit ipsec-interfaces
    set interface eth0

  set ike-group IKE
  edit ike-group IKE
    set lifetime 7200
  set ike-group IKE proposal 1
  edit ike-group IKE proposal 1
      set encryption 3des
      set hash md5
      set dh-group 2

  set esp-group ESP
  edit esp-group ESP
    set lifetime 1800
  set esp-group ESP proposal 1
  edit esp-group ESP proposal 1
      set encryption 3des
      set hash md5

  set site-to-site
  edit site-to-site
    set peer 50.0.0.1
    edit peer 50.0.0.1
    set authentification pre-shared-secret
     teddy
    set ike-group IKE
    set local-ip 100.0.0.1
    set tunnel 1
    edit tunnel 1
      set local-subnet 10.200.0.0/16
      set remote-subnet 10.250.0.0/16
      set esp-group ESP

crypto isakmp policy 1
  encr 3des
  hash md5
  authentification pre-share
  group 2
  lifetime 7200
crypto isakmp key teddy address 100.0.0.1

crypto ipsec transform-set t1 esp-3des
esp-md5-hmac
crypto ipsec security-association lifetime
seconds 1800

crypto map m1 110 ipsec-isakmp
  set peer 100.0.0.1
  set transform-set t1
  match address 111

access-list 111 permit ip 10.250.0.0
0.0.255.255 10.200.0.0 0.0.255.255

set protocols static route 50.0.0.1/32
next-hop 100.0.0.2

ip route 100.0.0.1 255.255.255.255 50.0.0.2

ip route 10.200.1.1 255.255.255.255 100.0.0.1

CISCO ROUTER B 2621 IOS: 12.2(23a)
See the entire configuration

interface FastEthernet0/0
  ip address 100.0.0.2 255.255.255.0

interface FastEthernet0/1
  ip address 50.0.0.2 255.255.255.0

hostname Cisco-routerB

line vty 0 4
  no login

enable secret password

Top of the page

4. SHOW COMMANDS:

RAISE THE IPSEC TUNNEL:

The interesting traffic has been defined as follows:

On the Cisco router: IP source: 10.250.0.0/16 ; IP destination: 10.200.0.0/16
   access-list 111 permit ip 10.250.0.0 0.0.255.255 10.200.0.0 0.0.255.255

On the Vyatta router: IP source: 10.200.0.0/16 ; IP destination: 10.250.0.0/16
   set local-subnet 10.200.0.0/16
   set remote-subnet 10.250.0.0/16

To raise the IPSec tunnel the packets source and destination IP addresses must be inside the ranges defined by the Vyatta or Cisco routers.

We use the Ping command to generate traffic matching the conditions defined by the Vyatta or Cisco routers. The source IP address must be specified in the ping command, otherwise the source IP address takes the outgoing physical interface IP address.

Cisco-RouterA#ping

Protocol [ip]:
Target IP address: 10.200.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.250.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.250.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

Vyatta>ping -I 10.200.1.1 -c 4 10.250.1.1

-I: specify the source IP address
-c: Number of packets sent

PING 10.250.1.1 (10.250.1.1) from 10.200.1.1 : 56(84) bytes of data.
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.53 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.60 ms
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.50 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.58 ms

--- 10.250.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 3.502/3.557/3.607/0.039 ms

IKE

Cisco-RouterA#show crypto isakmp policy

Protection suite of priority 1

encryption algorithm: Three key triple DES

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 7200 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Cisco-RouterA#show crypto isakmp sa

dst src state conn-id slot

50.0.0.1 100.0.0.1 QM_IDLE 4 0

Cisco-RouterA#show crypto isakmp key

Hostname/Address 100.0.0.1

Preshared Key teddy

Vyatta>show vpn ike status

IKE Process Running

PID: 8366

Vyatta>show vpn ike secrets

Local IP Peer IP Secret

------ ------ ------

100.0.0.1 50.0.0.1 "teddy"

Vyatta>show vpn ike sa

Local IP Peer IP State Encrypt Hash NAT-T A-Time L-Time

-------- ------- ----- ------- ---- ----- ------ ------

100.0.0.1 50.0.0.1 up 3des md5 No 769 7200

IPSEC

Cisco-RouterA#show crypto ipsec transform-set

Transform set t1: { esp-3des esp-md5-hmac }

will negotiate = { Tunnel, },

Cisco-RouterA#show crypto ipsec security-association-lifetime

Security association lifetime: 4608000 kilobytes/1800 seconds

Cisco-RouterA#show crypto ipsec sa

interface: FastEthernet0/1

Crypto map tag: m1, local addr. 50.0.0.1

local ident (addr/mask/prot/port): (10.250.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.200.0.0/255.255.0.0/0/0)

current_peer: 100.0.0.1

PERMIT, flags={origin_is_acl,}

# pkts encaps: 30, #pkts encrypt: 30, #pkts digest 30

# pkts decaps: 30, #pkts decrypt: 30, #pkts verify 30

# pkts compressed: 0, #pkts decompressed: 0

# pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

# send errors 0, #recv errors 0

local crypto endpt.: 50.0.0.1, remote crypto endpt.: 100.0.0.1

path mtu 1500, ip mtu 1500, ip mtu interface FastEthernet0/1

current outbound spi: CA59FF09

inbound esp sas:

spi: 0xEC0B17CB(3960149963)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2004, flow_id: 5, crypto map: m1

sa timing: remaining key lifetime (k/sec): (4607999/1419)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xCA59FF09(3394895625)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2005, flow_id: 6, crypto map: m1

sa timing: remaining key lifetime (k/sec): (4607999/1419)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Cisco-RouterA#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt

4 FastEthernet0/1 50.0.0.1 set HMAC_MD5+3DES_56_C 0 0

2004 FastEthernet0/1 50.0.0.1 set HMAC_MD5+3DES_56_C 0 5

2005 FastEthernet0/1 50.0.0.1 set HMAC_MD5+3DES_56_C 5 0

Vyatta>show vpn ipsec status

IPSec Process Running PID: 8366

IPsec Interfaces:
   eth0 (100.0.0.1)

Vyatta>show vpn ipsec sa

Peer IP Tunnel# Dir SPI Encrypt Hash NAT-T A-Time L-Time

------- ------- --- --- ------- ---- ------ ------ L-Time

50.0.0.1 1 in e834f47b 3des md5 No 185 1800

50.0.0.1 1 out 778ed647 3des No 185 1800

ROUTES:

Cisco-RouterA#show ip route

Gateway of last resort is not set

50.0.0.0/24 is subnetted, 1 subnets

C 50.0.0.0 is directly connected, FastEthernet0/1

100.0.0.0/32 is subnetted, 1 subnets

S 100.0.0.1 [1/0] via 50.0.0.2

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 10.0.0.0/24 is directly connected, FastEthernet0/0

S 10.200.1.1/32 [1/0] via 100.0.0.1

C 10.250.1.1/32 is directly connected, Loopback1

Vyatta#show route

Routes: 4/4, Paths: 4/4

10.200.1.0/24 [connected(0)] > to 10.200.1.1 via lo

50.0.0.1 [static(1)] > to 100.0.0.2 via eth0

100.0.0.0/24 [connected(0)] > to 100.0.0.1 via eth0

127.0.0.0/8 [connected(0)] > to 127.0.0.1 via lo

Vyatta#show route system forward

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref
Use
Iface

50.0.0.1 100.0.0.2 255.255.255.255 UGH 1 0
0
eth0

100.0.0.0 0.0.0.0 255.255.255.0 U 0 0
0
eth0

10.250.0.0 0.0.0.0 255.255.0.0 U 0 0
0
eth0

DEBUGGING:

Cisco-RouterA#debug crypto isakmp

ISAKMP (0:0): received packet from 100.0.0.1 (N) NEW SA

ISAKMP local port 500, remote port 500

ISAKMP (0:5): processing SA payload. message ID = 0

ISAKMP (0:5): found peer pre-shared key matching 100.0.0.1

ISAKMP (0:5): Checking ISAKMP transform 0 against priority 1 policy

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 7200

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP (0:5): atts are acceptable. Next payload is 0

ISAKMP (0:5): processing vendor id payload

ISAKMP (0:5): processing vendor id payload

ISAKMP (0:5): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

ISAKMP (0:5): sending packet to 100.0.0.1 (R) MM_SA_SETUP

ISAKMP (0:5): received packet from 100.0.0.1 (R) MM_SA_SETUP

ISAKMP (0:5): processing KE payload. message ID = 0

ISAKMP (0:5): processing NONCE payload. message ID = 0

ISAKMP (0:5): found peer pre-shared key matching 100.0.0.1

ISAKMP (0:5): SKEYID state generated

ISAKMP (0:5): sending packet to 100.0.0.1 (R) MM_KEY_EXCH

ISAKMP (0:5): received packet from 100.0.0.1 (R) MM_KEY_EXCH

ISAKMP (0:5): processing ID payload. message ID = 0

ISAKMP (0:5): processing HASH payload. message ID = 0

ISAKMP (0:5): SA has been authenticated with 100.0.0.1

ISAKMP (5): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (5): Total payload length: 12

ISAKMP (0:5): sending packet to 100.0.0.1 (R) QM_IDLE

ISAKMP (0:5): received packet from 100.0.0.1 (R) QM_IDLE

ISAKMP (0:5): processing HASH payload. message ID = -1931975646

ISAKMP (0:5): processing SA payload. message ID = -1931975646

ISAKMP (0:5): Checking IPSec proposal 0

transform 0, ESP_3DES

attributes in transform:

group is 2

encaps is 1

SA life type in seconds

SA life duration (basic) of 1800

authenticator is HMAC-MD5

ISAKMP (0:5): atts are acceptable.

ISAKMP (0:5): processing NONCE payload. message ID = -1931975646

ISAKMP (0:5): processing KE payload. message ID = -1931975646

ISAKMP (0:5): processing ID payload. message ID = -1931975646

ISAKMP (0:5): processing ID payload. message ID = -1931975646

ISAKMP (0:5): asking for 1 spis from ipsec

received ke message (2/1)

ISAKMP (0:5): sending packet to 100.0.0.1 (R) QM_IDLE

ISAKMP (0:5): received packet from 100.0.0.1 (R) QM_IDLE

ISAKMP (0:5): Creating IPSec SAs

inbound SA from 100.0.0.1 to 50.0.0.1

(proxy 10.200.0.0 to 10.250.0.0)

has spi 0xE834F47B and conn_id 2006 and flags 25

lifetime of 1800 seconds

outbound SA from 50.0.0.1 to 100.0.0.1 (proxy 10.250.0.0 to 10.200.0.0 )

has spi 2005849671 and conn_id 2007 and flags 2D

lifetime of 1800 seconds

Cisco-RouterA#debug crypto ipsec

IPSEC(sa_aging): lifetime expiring,

(sa) sa_dest= 50.0.0.1, sa_prot= 50,

sa_spi= 0xEC0B17CB(3960149963),

sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004,

(identity) local= 50.0.0.1, remote= 100.0.0.1,

local_proxy= 10.250.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 10.200.0.0/255.255.0.0/0/0 (type=4)

IPSEC(delete_sa): deleting SA,

(sa) sa_dest= 50.0.0.1, sa_prot= 50,

sa_spi= 0xEC0B17CB(3960149963),

sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004

IPSEC(delete_sa): deleting SA,

(sa) sa_dest= 100.0.0.1, sa_prot= 50,

sa_spi= 0xCA59FF09(3394895625),

sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2005

Vyatta>show vpn debug

000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 10.200.1.1
000 interface eth0/eth0 100.0.0.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128,keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128,keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36}trans={0,2,336} attrs={0,2,224}
000
000 "peer-50.0.0.1-tunnel-1":10.200.0.0/16===100.0.0.1...50.0.0.1===10.250.0.0/16; erouted; eroute owner:#2
000 "peer-50.0.0.1-tunnel-1": srcip=unset; dstip=unset; srcup=ipsec_updown; dstup=ipsec _updown;
000 "peer-50.0.0.1-tunnel-1": ike_life: 7200s; ipsec_life: 1800s;rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-50.0.0.1-tunnel-1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 16,16;interface: eth0;
000 "peer-50.0.0.1-tunnel-1": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "peer-50.0.0.1-tunnel-1": IKE algorithms wanted: 5_000-1-2, flags=strict
000 "peer-50.0.0.1-tunnel-1": IKE algorithms found: 5_192-1_128-2,
000 "peer-50.0.0.1-tunnel-1": IKE algorithm newest:3DES_CBC_192-MD5-MODP1024
000 "peer-50.0.0.1-tunnel-1": ESP algorithms wanted: 3_000-1, flags=strict
000 "peer-50.0.0.1-tunnel-1": ESP algorithms loaded: 3_000-1, flags=strict
000 "peer-50.0.0.1-tunnel-1": ESP algorithm newest: 3DES_0-HMAC_MD5;pfsgroup=
000
000 #2: "peer-50.0.0.1-tunnel-1":500 STATE_QUICK_I2 (sent QI2, IPsec SAestablished); EVENT_SA_REPLACE in 526s; newest IPSEC; eroute owner
000 #2: "peer-50.0.0.1-tunnel-1" esp.e834f47b@50.0.0.1 esp.778ed647@100.0.0.1tun.0@50.0.0.1 tun.0@100.0.0.1
000 #1: "peer-50.0.0.1-tunnel-1":500 STATE_MAIN_I4 (ISAKMP SA established);EVENT_SA_REPLACE in 6418s; newest ISAKMP; nodpd
000

CONNECTIVITY CHECKS:

The Cisco-RouterA and Vyatta routers must be able to reach each other on their WAN address.
Cisco-RouterA WAN address: 50.0.0.1
Vyatta WAN address: 100.0.0.1

Cisco-RouterA#traceroute 100.0.0.1

Type escape sequence to abort.
Tracing the route to 100.0.0.1

   1 50.0.0.2 0 msec 0 msec 0 msec
   2 100.0.0.1 4 msec 0 msec 4 msec

Vyatta>traceroute 50.0.0.1

traceroute to 50.0.0.1 (50.0.0.1), 30 hops max, 40 byte packets
1 100.0.0.2 (100.0.0.2) 1.870 0.872 0.875
2 50.0.0.1 (50.0.0.1) 1.988 * 1.203

   ---------------------------------------------------------------------

If an IPSec router tries to ping or traceroute the other router loopback address, it will receive no answer because the routers loopback addresses are not routed on the WAN.
The traceroute or the ping will not raise the tunnel as their source IP addresses do not match the conditions defined by the IPSec routers.

Cisco-RouterA#ping 10.200.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.1.1, timeout is 2 seconds:
U.U.U

Success rate is 0 percent (0/5)

Vyatta>ping 10.250.1.1 -c 4

PING 10.250.1.1 (10.250.1.1) 56(84) bytes of data.
From 100.0.0.1 icmp_seq=2 Destination Host Unreachable
From 100.0.0.1 icmp_seq=3 Destination Host Unreachable
From 100.0.0.1 icmp_seq=4 Destination Host Unreachable

--- 10.250.1.1 ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2999ms, pipe 3

Cisco-RouterA#traceroute 10.200.1.1

Type escape sequence to abort.
Tracing the route to 100.0.0.1

   1 50.0.0.2 0 msec 0 msec 0 msec
   2 50.0.0.2 !H !H *

Vyatta>traceroute 10.250.1.1

traceroute to 10.250.1.1 (10.250.1.1), 30 hops max, 40 byte packets
1 100.0.0.1 (100.0.0.1) 3002.304 ms !H 3003.655 ms !H 3003.975 ms !H

   ---------------------------------------------------------------------

To reach each other on their loopback address and thus raise the IPSec tunnel, the Vyatta or Cisco Routers must ping or traceroute from their loopback IP addresses.
By default, the source IP address is the outgoing physical interface IP address.

Cisco-RouterA#ping

Protocol [ip]:
Target IP address: 10.200.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.250.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.250.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

Vyatta>ping -I 10.200.1.1 -c 4 10.250.1.1

-I: specify the source IP address
-c: Number of packets sent

PING 10.250.1.1 (10.250.1.1) from 10.200.1.1 : 56(84) bytes of data.
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.53 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.60 ms
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.50 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.58 ms

--- 10.250.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 3.502/3.557/3.607/0.039 ms

Cisco-RouterA#traceroute

Target IP address: 10.200.1.1
Source address: 10.250.1.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
MaximumTime to Live [1]:
Port number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.200.1.1

   1 10.200.1.1 4 msec 0 msec 4 msec

Top of the page

VYATTA ROUTER VC2.2 Aug 30, 2007 See the entire configuration	CISCO ROUTER A 2621 IOS: 12.2(46a) See the entire configuration
edit interfaces ethernet eth0 set address 100.0.0.1 prefix-length 24	interface FastEthernet0/1 ip address 50.0.0.1 255.255.255.0 crypto map m1
edit interfaces loopback lo set address 10.200.1.1 prefix-length 24	interface Loopback 1 ip address 10.250.1.1 255.255.255.255
set system host-name Vyatta	hostname Cisco-routerA
set service telnet	line vty 0 4 no login
edit system login user vyatta set authentification plaintext-password password	enable secret password
set vpn ipsec edit vpn ipsec set ipsec-interfaces edit ipsec-interfaces set interface eth0 set ike-group IKE edit ike-group IKE set lifetime 7200 set ike-group IKE proposal 1 edit ike-group IKE proposal 1 set encryption 3des set hash md5 set dh-group 2 set esp-group ESP edit esp-group ESP set lifetime 1800 set esp-group ESP proposal 1 edit esp-group ESP proposal 1 set encryption 3des set hash md5 set site-to-site edit site-to-site set peer 50.0.0.1 edit peer 50.0.0.1 set authentification pre-shared-secret teddy set ike-group IKE set local-ip 100.0.0.1 set tunnel 1 edit tunnel 1 set local-subnet 10.200.0.0/16 set remote-subnet 10.250.0.0/16 set esp-group ESP
	crypto isakmp policy 1 encr 3des hash md5 authentification pre-share group 2 lifetime 7200 crypto isakmp key teddy address 100.0.0.1 crypto ipsec transform-set t1 esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 1800 crypto map m1 110 ipsec-isakmp set peer 100.0.0.1 set transform-set t1 match address 111 access-list 111 permit ip 10.250.0.0 0.0.255.255 10.200.0.0 0.0.255.255
set protocols static route 50.0.0.1/32 next-hop 100.0.0.2	ip route 100.0.0.1 255.255.255.255 50.0.0.2 ip route 10.200.1.1 255.255.255.255 100.0.0.1
CISCO ROUTER B 2621 IOS: 12.2(23a) See the entire configuration
interface FastEthernet0/0 ip address 100.0.0.2 255.255.255.0
interface FastEthernet0/1 ip address 50.0.0.2 255.255.255.0
hostname Cisco-routerB
line vty 0 4 no login
enable secret password

Protection suite of priority 1
	encryption algorithm:	Three key triple DES
	hash algorithm:	Message Digest 5
	authentication method:	Pre-Shared Key
	Diffie-Hellman group:	#2 (1024 bit)
	lifetime:	7200 seconds, no volume limit
Default protection suite
	encryption algorithm:	DES - Data Encryption Standard (56 bit keys).
	hash algorithm:	Secure Hash Standard
	authentication method:	Rivest-Shamir-Adleman Signature
	Diffie-Hellman group:	#1 (768 bit)
	lifetime:	86400 seconds, no volume limit

Local IP	Peer IP	Secret
------	------	------
100.0.0.1	50.0.0.1	"teddy"

Local IP	Peer IP	State	Encrypt	Hash	NAT-T	A-Time	L-Time
--------	-------	-----	-------	----	-----	------	------
100.0.0.1	50.0.0.1	up	3des	md5	No	769	7200

Transform set t1: { esp-3des esp-md5-hmac }
	will negotiate = { Tunnel, },

interface: FastEthernet0/1
		Crypto map tag: m1, local addr. 50.0.0.1

	local ident (addr/mask/prot/port): (10.250.0.0/255.255.0.0/0/0)
	remote ident (addr/mask/prot/port): (10.200.0.0/255.255.0.0/0/0)
	current_peer: 100.0.0.1
			PERMIT, flags={origin_is_acl,}
		#	pkts encaps: 30, #pkts encrypt: 30, #pkts digest 30
		#	pkts decaps: 30, #pkts decrypt: 30, #pkts verify 30
		#	pkts compressed: 0, #pkts decompressed: 0
		#	pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
		#	send errors 0, #recv errors 0

			local crypto endpt.: 50.0.0.1, remote crypto endpt.: 100.0.0.1
			path mtu 1500, ip mtu 1500, ip mtu interface FastEthernet0/1
			current outbound spi: CA59FF09

			inbound esp sas:
				spi: 0xEC0B17CB(3960149963)
					transform: esp-3des esp-md5-hmac ,
					in use settings ={Tunnel, }
					slot: 0, conn id: 2004, flow_id: 5, crypto map: m1
					sa timing: remaining key lifetime (k/sec): (4607999/1419)
					IV size: 8 bytes
					replay detection support: Y

			inbound ah sas:

			inbound pcp sas:

			outbound esp sas:
				spi: 0xCA59FF09(3394895625)
					transform: esp-3des esp-md5-hmac ,
					in use settings ={Tunnel, }
					slot: 0, conn id: 2005, flow_id: 6, crypto map: m1
					sa timing: remaining key lifetime (k/sec): (4607999/1419)
					IV size: 8 bytes
					replay detection support: Y

			outbound ah sas:

			outbound pcp sas:

ID	Interface	IP-Address	State	Algorithm	Encrypt	Decrypt
4	FastEthernet0/1	50.0.0.1	set	HMAC_MD5+3DES_56_C	0	0
2004	FastEthernet0/1	50.0.0.1	set	HMAC_MD5+3DES_56_C	0	5
2005	FastEthernet0/1	50.0.0.1	set	HMAC_MD5+3DES_56_C	5	0

Peer IP	Tunnel#	Dir	SPI	Encrypt	Hash	NAT-T	A-Time	L-Time
-------	-------	---	---	-------	----	------	------	L-Time
50.0.0.1	1	in	e834f47b	3des	md5	No	185	1800
50.0.0.1	1	out	778ed647	3des	No	185	1800

Gateway of last resort is not set

	50.0.0.0/24 is subnetted, 1 subnets
C		50.0.0.0 is directly connected, FastEthernet0/1
	100.0.0.0/32 is subnetted, 1 subnets
S		100.0.0.1 [1/0] via 50.0.0.2
	10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C		10.0.0.0/24 is directly connected, FastEthernet0/0
S		10.200.1.1/32 [1/0] via 100.0.0.1
C		10.250.1.1/32 is directly connected, Loopback1

Routes: 4/4, Paths: 4/4
10.200.1.0/24	[connected(0)]	>	to 10.200.1.1	via lo
50.0.0.1	[static(1)]	>	to 100.0.0.2	via eth0
100.0.0.0/24	[connected(0)]	>	to 100.0.0.1	via eth0
127.0.0.0/8	[connected(0)]	>	to 127.0.0.1	via lo

Kernel IP routing table
Destination	Gateway	Genmask	Flags	Metric	Ref	Use	Iface
50.0.0.1	100.0.0.2	255.255.255.255	UGH	1	0	0	eth0
100.0.0.0	0.0.0.0	255.255.255.0	U	0	0	0	eth0
10.250.0.0	0.0.0.0	255.255.0.0	U	0	0	0	eth0

ISAKMP	(0:0):			received packet from 100.0.0.1 (N) NEW SA
ISAKMP	local		port 500, remote port 500
ISAKMP	(0:5):		processing SA payload. message ID = 0
ISAKMP	(0:5):		found peer pre-shared key matching 100.0.0.1
ISAKMP	(0:5):		Checking ISAKMP transform 0 against priority 1 policy
ISAKMP:			life type in seconds
ISAKMP:			life duration (basic) of 7200
ISAKMP:			encryption 3DES-CBC
ISAKMP:			hash MD5
ISAKMP:			auth pre-share
ISAKMP:			default group 2
ISAKMP	(0:5):		atts are acceptable. Next payload is 0
ISAKMP	(0:5):		processing vendor id payload
ISAKMP	(0:5):		processing vendor id payload
ISAKMP	(0:5):		SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP	(0:5):		sending packet to 100.0.0.1 (R) MM_SA_SETUP
ISAKMP	(0:5):		received packet from 100.0.0.1 (R) MM_SA_SETUP
ISAKMP	(0:5):		processing KE payload. message ID = 0
ISAKMP	(0:5):		processing NONCE payload. message ID = 0
ISAKMP	(0:5):		found peer pre-shared key matching 100.0.0.1
ISAKMP	(0:5):		SKEYID state generated
ISAKMP	(0:5):		sending packet to 100.0.0.1 (R) MM_KEY_EXCH
ISAKMP	(0:5):		received packet from 100.0.0.1 (R) MM_KEY_EXCH
ISAKMP	(0:5):		processing ID payload. message ID = 0
ISAKMP	(0:5):		processing HASH payload. message ID = 0
ISAKMP	(0:5):		SA has been authenticated with 100.0.0.1
ISAKMP	(5):	ID payload
	next-payload			: 8
	type			: 1
	protocol			: 17
	port			: 500
	length			: 8
ISAKMP	(5):	Total payload length: 12
ISAKMP	(0:5):		sending packet to 100.0.0.1 (R) QM_IDLE
ISAKMP	(0:5):		received packet from 100.0.0.1 (R) QM_IDLE
ISAKMP	(0:5):		processing HASH payload. message ID = -1931975646
ISAKMP	(0:5):		processing SA payload. message ID = -1931975646
ISAKMP	(0:5):		Checking IPSec proposal 0
	transform 0, ESP_3DES
		attributes in transform:
			group is 2
			encaps is 1
			SA life type in seconds
			SA life duration (basic) of 1800
			authenticator is HMAC-MD5
ISAKMP	(0:5):		atts are acceptable.
ISAKMP	(0:5):		processing NONCE payload. message ID = -1931975646
ISAKMP	(0:5):		processing KE payload. message ID = -1931975646
ISAKMP	(0:5):		processing ID payload. message ID = -1931975646
ISAKMP	(0:5):		processing ID payload. message ID = -1931975646
ISAKMP	(0:5):		asking for 1 spis from ipsec
	received ke message (2/1)
ISAKMP	(0:5):		sending packet to 100.0.0.1 (R) QM_IDLE
ISAKMP	(0:5):		received packet from 100.0.0.1 (R) QM_IDLE
ISAKMP	(0:5):		Creating IPSec SAs
	inbound SA from 100.0.0.1 to 50.0.0.1
	(proxy 10.200.0.0 to 10.250.0.0)
	has spi 0xE834F47B and conn_id 2006 and flags 25
	lifetime of 1800 seconds
	outbound SA from 50.0.0.1 to 100.0.0.1 (proxy 10.250.0.0 to 10.200.0.0 )
	has spi 2005849671 and conn_id 2007 and flags 2D
	lifetime of 1800 seconds

IPSEC(sa_aging): lifetime expiring,
	(sa) sa_dest= 50.0.0.1, sa_prot= 50,
		sa_spi= 0xEC0B17CB(3960149963),
		sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004,
	(identity) local= 50.0.0.1, remote= 100.0.0.1,
		local_proxy= 10.250.0.0/255.255.0.0/0/0 (type=4),
		remote_proxy= 10.200.0.0/255.255.0.0/0/0 (type=4)
IPSEC(delete_sa): deleting SA,
	(sa) sa_dest= 50.0.0.1, sa_prot= 50,
		sa_spi= 0xEC0B17CB(3960149963),
		sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004
IPSEC(delete_sa): deleting SA,
	(sa) sa_dest= 100.0.0.1, sa_prot= 50,
		sa_spi= 0xCA59FF09(3394895625),
		sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2005