This example shows how manual IPSec is configured in Cisco IOS. With this configuration no ISAKMP/IKE is needed to negotiate keys and the session keys are configured statically on the routers. This is of course not the recommended way of configuring IPSec!
Topology used in this example:
The relevant starting configuration of Router1:
interface Loopback11
ip address 11.11.1.1 255.255.255.0
!
interface FastEthernet0
ip address 10.255.255.201 255.255.255.0
For manual IPSec no ISAKMP is needed. So it is disabled:
no crypto isakmp enable
we need a transform-set. First we use one without encryption to be able to capture and analyze the traffic:
crypto ipsec transform-set esp-none-sha1 esp-null esp-sha-hmac
an access-list has to define the traffic that has to be protected. This ACL is only allowed to have one entry for manual IPSec:
access-list 100 permit ip 11.11.1.0 0.0.0.255 11.11.2.0 0.0.0.255
A crypto map is written. Inside the crypto-map, the session keys are specified:
crypto map test 10 ipsec-manual
set peer 10.255.255.1
set session-key in esp 2001 auth 0123456789012345678901234567890123456789
set session-key out esp 1002 auth 0123456789012345678901234567890123456789
set transform-set esp-none-sha1
match address 100
Each SA has a unique Security Parameter Index (SPI). In this case the SPI 1002 is used to protect the outgoing datagrams with authentication, the incoming datagrams are expected to have an SPI of 2001. As we are using SHA-1, the kession-key is 160 bit or 40 characters
The crypto map is applied to the outbound interface:
interface FastEthernet0
crypto map test
The resulting config of Router1:
no crypto isakmp enable
!
crypto ipsec transform-set esp-none-sha1 esp-null esp-sha-hmac
!
crypto map test 10 ipsec-manual
set peer 10.255.255.1
set session-key in esp 2001 auth 0123456789012345678901234567890123456789
set session-key out esp 1002 auth 0123456789012345678901234567890123456789
set transform-set esp-none-sha1
match address 100
!
access-list 100 permit ip 11.11.1.0 0.0.0.255 11.11.2.0 0.0.0.255
!
interface Loopback11
ip address 11.11.1.1 255.255.255.0
!
interface FastEthernet0
ip address 10.255.255.201 255.255.255.0
crypto map test
Router 2 is configured the same way (Vlan1 is the outgoing interface on R2):
crypto ipsec transform-set esp-none-sha1 esp-null esp-sha-hmac
!
crypto map test 10 ipsec-manual
set peer 10.255.255.201
set session-key in esp 1002 auth 0123456789012345678901234567890123456789
set session-key out esp 2001 auth 0123456789012345678901234567890123456789
set transform-set esp-none-sha1
match address 100
!
access-list 100 permit ip 11.11.2.0 0.0.0.255 11.11.1.0 0.0.0.255
!
interface Loopback11
ip address 11.11.2.1 255.255.255.0
!
interface Vlan1
crypto map test
The connection is tested:
R1#ping 11.11.2.1 source loopback 11 repeat 2 data 1a2b size 38
Type escape sequence to abort.
Sending 2, 38-byte ICMP Echos to 11.11.2.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.1.1
Packet has data pattern 0x1A2B
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 1/2/4 ms
The resulting SA on R1 shows two protected packets:
R1#sh cry ips sa
interface: FastEthernet0
Crypto map tag: test, local addr. 10.255.255.201
protected vrf:
local ident (addr/mask/prot/port): (11.11.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (11.11.2.0/255.255.255.0/0/0)
current_peer: 10.255.255.1:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2, #pkts encrypt: 0, #pkts digest 2
#pkts decaps: 2, #pkts decrypt: 0, #pkts verify 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.255.255.201, remote crypto endpt.: 10.255.255.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 3EA
inbound esp sas:
spi: 0x7D1(2001)
transform: esp-null esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 1, crypto map: test
no sa timing
IV size: 0 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3EA(1002)
transform: esp-null esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 2, crypto map: test
no sa timing
IV size: 0 bytes
replay detection support: N
outbound ah sas:
outbound pcp sas:
R1#
For the next test the routers are also configured for encryption with DES
For that, we need a transform-set with esp-encryption and the des-session-keys in the crypto-map have to be added:
The changes for Router 1:
crypto ipsec transform-set esp-des-sha1 esp-des esp-sha-hmac
crypto map test 10 ipsec-manual
set session-key in esp 2001 cipher 0123456789012345 auth 0123456789...
set session-key out esp 1002 cipher 0123456789012345 auth 0123456789...
set transform-set esp-des-sha1
The des-cipher is specified with the full 64 bits, 56 bits are actually used for encryption.
The changes for Router 2:
crypto map test 10 ipsec-manual
set peer 10.255.255.201
set session-key in esp 1002 cipher 0123456789012345 auth 0123456789...
set session-key out esp 2001 cipher 0123456789012345 auth 0123456789...
set transform-set esp-des-sha1
The connection is tested again:
R1#ping 11.11.2.1 source loopback 11 repeat 2 data 1a2b size 38
Type escape sequence to abort.
Sending 2, 38-byte ICMP Echos to 11.11.2.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.1.1
Packet has data pattern 0x1A2B
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 4/4/4 ms
The IPSec SA shows that there is now also encrypted and decrypted traffic:
R1#sh crypto ips sa
interface: FastEthernet0
Crypto map tag: test, local addr. 10.255.255.201
protected vrf:
local ident (addr/mask/prot/port): (11.11.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (11.11.2.0/255.255.255.0/0/0)
current_peer: 10.255.255.1:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 2, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 2, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.255.255.201, remote crypto endpt.: 10.255.255.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 3EA
inbound esp sas:
spi: 0x7D1(2001)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 1, crypto map: test
no sa timing
IV size: 8 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3EA(1002)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 2, crypto map: test
no sa timing
IV size: 8 bytes
replay detection support: N
outbound ah sas:
outbound pcp sas:
R1#
The next example shows the result of using different authentication-keys on both routers. For that we change the inbound-authentication-key on Router1:
crypto map test 10 ipsec-manual
set session-key in esp 2001 ciph 0123456789012345 auth 01234...89aaaaaaaaaa
Router2 still has the same outbound-key as before:
crypto map test 10 ipsec-manual
set session-key out esp 2001 ciph 0123456789012345 auth 01234...890123456789
We test it with an outgoing ping from Router1. As only the inbound key on Router1 was changed, Router2 can decrypt the ping and respond to it:
R1#ping 11.11.2.1 source loopback 11 repeat 1 data 1a2b size 38
Type escape sequence to abort.
Sending 1, 38-byte ICMP Echos to 11.11.2.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.1.1
Packet has data pattern 0x1A2B
.
Success rate is 0 percent (0/1)
On Router1 the following Message was displayed:
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2001
The SADB shows one packet as encrypt/digest, but the received one had an error:
R1#sh cry ips sa
interface: FastEthernet0
Crypto map tag: test, local addr. 10.255.255.201
protected vrf:
local ident (addr/mask/prot/port): (11.11.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (11.11.2.0/255.255.255.0/0/0)
current_peer: 10.255.255.1:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest 1
#pkts decaps: 1, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 1
local crypto endpt.: 10.255.255.201, remote crypto endpt.: 10.255.255.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 3EA
inbound esp sas:
spi: 0x7D1(2001)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 1, crypto map: test
no sa timing
IV size: 8 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3EA(1002)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 2, crypto map: test
no sa timing
IV size: 8 bytes
replay detection support: N
outbound ah sas:
outbound pcp sas: