IPSec: manual configuration in Cisco IOS

On By karsteni

This example shows how manual IPSec is configured in Cisco IOS. With this configuration no ISAKMP/IKE is needed to negotiate keys and the session keys are configured statically on the routers. This is of course not the recommended way of configuring IPSec!

Topology used in this example:

Topologie for IPSec Example

The relevant starting configuration of Router1:


interface Loopback11
 ip address 11.11.1.1 255.255.255.0
!
interface FastEthernet0
 ip address 10.255.255.201 255.255.255.0

For manual IPSec no ISAKMP is needed. So it is disabled:


no crypto isakmp enable

we need a transform-set. First we use one without encryption to be able to capture and analyze the traffic:


crypto ipsec transform-set esp-none-sha1 esp-null esp-sha-hmac

an access-list has to define the traffic that has to be protected. This ACL is only allowed to have one entry for manual IPSec:


access-list 100 permit ip 11.11.1.0 0.0.0.255 11.11.2.0 0.0.0.255

A crypto map is written. Inside the crypto-map, the session keys are specified:


crypto map test 10 ipsec-manual
 set peer 10.255.255.1
 set session-key in esp 2001 auth 0123456789012345678901234567890123456789
 set session-key out esp 1002 auth 0123456789012345678901234567890123456789
 set transform-set esp-none-sha1
 match address 100

Each SA has a unique Security Parameter Index (SPI). In this case the SPI 1002 is used to protect the outgoing datagrams with authentication, the incoming datagrams are expected to have an SPI of 2001. As we are using SHA-1, the kession-key is 160 bit or 40 characters

The crypto map is applied to the outbound interface:


interface FastEthernet0
 crypto map test

The resulting config of Router1:


no crypto isakmp enable
!
crypto ipsec transform-set esp-none-sha1 esp-null esp-sha-hmac
!
crypto map test 10 ipsec-manual
 set peer 10.255.255.1
 set session-key in esp 2001 auth 0123456789012345678901234567890123456789
 set session-key out esp 1002 auth 0123456789012345678901234567890123456789
 set transform-set esp-none-sha1
 match address 100
!
access-list 100 permit ip 11.11.1.0 0.0.0.255 11.11.2.0 0.0.0.255
!
interface Loopback11
 ip address 11.11.1.1 255.255.255.0
!
interface FastEthernet0
 ip address 10.255.255.201 255.255.255.0
 crypto map test

Router 2 is configured the same way (Vlan1 is the outgoing interface on R2):


crypto ipsec transform-set esp-none-sha1 esp-null esp-sha-hmac
!
crypto map test 10 ipsec-manual
 set peer 10.255.255.201
 set session-key in esp 1002 auth 0123456789012345678901234567890123456789
 set session-key out esp 2001 auth 0123456789012345678901234567890123456789
 set transform-set esp-none-sha1
 match address 100
!
access-list 100 permit ip 11.11.2.0 0.0.0.255 11.11.1.0 0.0.0.255
!
interface Loopback11
 ip address 11.11.2.1 255.255.255.0
!
interface Vlan1
 crypto map test

The connection is tested:


R1#ping 11.11.2.1 source loopback 11 repeat 2 data 1a2b size 38

Type escape sequence to abort.
Sending 2, 38-byte ICMP Echos to 11.11.2.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.1.1
Packet has data pattern 0x1A2B
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 1/2/4 ms

The resulting SA on R1 shows two protected packets:


R1#sh cry ips sa

interface: FastEthernet0
    Crypto map tag: test, local addr. 10.255.255.201

   protected vrf:
   local  ident (addr/mask/prot/port): (11.11.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (11.11.2.0/255.255.255.0/0/0)
   current_peer: 10.255.255.1:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2, #pkts encrypt: 0, #pkts digest 2
    #pkts decaps: 2, #pkts decrypt: 0, #pkts verify 2
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.255.255.201, remote crypto endpt.: 10.255.255.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 3EA

     inbound esp sas:
      spi: 0x7D1(2001)
        transform: esp-null esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 1, crypto map: test
        no sa timing
        IV size: 0 bytes
        replay detection support: N

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3EA(1002)
        transform: esp-null esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 2, crypto map: test
        no sa timing
        IV size: 0 bytes
        replay detection support: N

     outbound ah sas:

     outbound pcp sas:
R1#

For the next test the routers are also configured for encryption with DES
For that, we need a transform-set with esp-encryption and the des-session-keys in the crypto-map have to be added:

The changes for Router 1:


crypto ipsec transform-set esp-des-sha1 esp-des esp-sha-hmac
crypto map test 10 ipsec-manual
 set session-key in esp 2001 cipher 0123456789012345 auth 0123456789...
 set session-key out esp 1002 cipher 0123456789012345 auth 0123456789...
 set transform-set esp-des-sha1

The des-cipher is specified with the full 64 bits, 56 bits are actually used for encryption.

The changes for Router 2:


crypto map test 10 ipsec-manual
 set peer 10.255.255.201
 set session-key in esp 1002 cipher 0123456789012345 auth 0123456789...
 set session-key out esp 2001 cipher 0123456789012345 auth 0123456789...
 set transform-set esp-des-sha1

The connection is tested again:


R1#ping 11.11.2.1 source loopback 11 repeat 2 data 1a2b size 38

Type escape sequence to abort.
Sending 2, 38-byte ICMP Echos to 11.11.2.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.1.1
Packet has data pattern 0x1A2B
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 4/4/4 ms

The IPSec SA shows that there is now also encrypted and decrypted traffic:


R1#sh crypto ips sa

interface: FastEthernet0
    Crypto map tag: test, local addr. 10.255.255.201

   protected vrf:
   local  ident (addr/mask/prot/port): (11.11.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (11.11.2.0/255.255.255.0/0/0)
   current_peer: 10.255.255.1:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 2, #pkts digest 4
    #pkts decaps: 4, #pkts decrypt: 2, #pkts verify 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.255.255.201, remote crypto endpt.: 10.255.255.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 3EA

     inbound esp sas:
      spi: 0x7D1(2001)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 1, crypto map: test
        no sa timing
        IV size: 8 bytes
        replay detection support: N

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3EA(1002)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 2, crypto map: test
        no sa timing
        IV size: 8 bytes
        replay detection support: N

     outbound ah sas:

     outbound pcp sas:
R1#

The next example shows the result of using different authentication-keys on both routers. For that we change the inbound-authentication-key on Router1:


crypto map test 10 ipsec-manual
 set session-key in esp 2001 ciph 0123456789012345 auth 01234...89aaaaaaaaaa

Router2 still has the same outbound-key as before:


crypto map test 10 ipsec-manual
 set session-key out esp 2001 ciph 0123456789012345 auth 01234...890123456789

We test it with an outgoing ping from Router1. As only the inbound key on Router1 was changed, Router2 can decrypt the ping and respond to it:


R1#ping 11.11.2.1 source loopback 11 repeat 1 data 1a2b size 38

Type escape sequence to abort.
Sending 1, 38-byte ICMP Echos to 11.11.2.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.1.1
Packet has data pattern 0x1A2B
.
Success rate is 0 percent (0/1)

On Router1 the following Message was displayed:


%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2001

The SADB shows one packet as encrypt/digest, but the received one had an error:


R1#sh cry ips sa

interface: FastEthernet0
    Crypto map tag: test, local addr. 10.255.255.201

   protected vrf:
   local  ident (addr/mask/prot/port): (11.11.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (11.11.2.0/255.255.255.0/0/0)
   current_peer: 10.255.255.1:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1, #pkts encrypt: 1, #pkts digest 1
    #pkts decaps: 1, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 1

     local crypto endpt.: 10.255.255.201, remote crypto endpt.: 10.255.255.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 3EA

     inbound esp sas:
      spi: 0x7D1(2001)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 1, crypto map: test
        no sa timing
        IV size: 8 bytes
        replay detection support: N

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3EA(1002)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 2, crypto map: test
        no sa timing
        IV size: 8 bytes
        replay detection support: N

     outbound ah sas:

     outbound pcp sas:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.