policy, but there is little hope of troubleshooting (or soliciting support help with troubleshooting)
VPN problems without a network map.
A site to site IPsec VPN may be either native IPsec tunnels or may be IPsec transport protected
GRE/IPIP tunnels. In Secure Router implemented IPsec tunnels, the tunnel does not become
an interface in the system and IPsec does not provide the outer/inner IP encapsulation. In
IPsec transport protected GRE/IPIP tunnels, the GRE/IPIP tunnels become a named interface
in the system and GRE/IPIP, not IPsec, provides the outer/inner IP encapsulation. The IPsec
system no longer filters packets, but if routes change in your system IPsec administrative
filtering does not become a black hole.
IPsec tunnels with access control are configured entirely through the `crypto` sub tree in the
configuration CLI. Tunnel interfaces with IPsec protection are mostly configured through the
`interface tunnel` sub tree but you can alter the details of the default cryptographic parameters
by modifying them in the `crypto` sub tree.
In the Secure Router, the VPN capability comes bundled with the firewall capability. You may
configure firewall without VPN, but enabling VPN brings along the firewall. This means that
you will need site appropriate firewall policies to allow your VPN traffic "in". Each Secure Router
must know the IP route to the far end protected network(s) behind the peer security
gateway(s).
IPsec VPNs have a well deserved reputation for being difficult to configure. A fairly long list of
parameters must be meticulously configured on each of two peer security gateways to exactly
match. Any disagreement in any Security Association configured parameter will almost always
result in non-communicating systems. This leads to the choice of whether the VPN forms SAs
and carries traffic, or if no traffic gets through. Troubleshooting IPsec VPN systems tends to
become a matter of seeking out the hidden, mismatched parameter. Therefore you need
access to the configuration of both security gateway peers.
When you have a set of VPN peers which are not forming SAs or carrying traffic, you should
compare their IKE, IPsec and firewall policies. A human, visual review of policies is often the
quickest way to 'see' the problem. If the issue is not quickly revealed in a policy review, then
enable debug logging and seek out the error messages. In general, you should attempt to
isolate between routing, firewalling, phase-I, and phase-II problems.
Getting started
First get the general VPN orientation with the following commands:
show ip interfaces brief
show crypto interfaces
show crypto ike policy all [detail]
show crypto ipsec policy all [detail]
show ip route
Troubleshooting VPN
Troubleshooting August 2013 205
To Next Page
Loading...
