i like ike…

ike phase 1

defines the key exchange mechanism used to pass and validate ike policies between peers

ike phase 2

exchanges and matches ipsec policies for the authentication and encryption of data

enable ike

r1(config)#crypto isakmp enable

create the isakmp policy

the isakmp policy defines authentication, encryption and hash used for control traffic for the peers to establish an SA (security association). once established between the peers, ike phase 1 is complete

h a g l e

hash authentication group lifetime encryption

r1(config)#crypto isakmp policy 10
ISAKMP commands:
authentication  Set authentication method for protection suite
default         Set a command to its defaults
encryption      Set encryption algorithm for protection suite
exit            Exit from ISAKMP protection suite configuration mode
group           Set the Diffie-Hellman group
hash            Set hash algorithm for protection suite
lifetime        Set lifetime for ISAKMP security association
no              Negate a command or set its defaults

this policy must match for the peers

r1(config-isakmp)#hash sha
r1(config-isakmp)#authenti pre-share
r1(config-isakmp)#group 5
r1(config-isakmp)#lifetime 3600
r1(config-isakmp)#encryption aes 256

r1(config-isakmp)#do sh crypto isakmp policy

Global IKE policy
Protection suite of priority 10
encryption algorithm:   AES – Advanced Encryption Standard (256 bit key.
hash algorithm:         Secure Hash Standard
authentication method:  Pre-Shared Key
Diffie-Hellman group:   #5 (1536 bit)
lifetime:               3600 seconds, no volume limit
Default protection suite
encryption algorithm:   DES – Data Encryption Standard (56 bit keys).
hash algorithm:         Secure Hash Standard
authentication method:  Rivest-Shamir-Adleman Signature
Diffie-Hellman group:   #1 (768 bit)
lifetime:               86400 seconds, no volume limit

create a pre-shared key for this example:

r1(config)#crypto isakmp key psycho add

a transform set is a crypto parameter used to negotiate the SA:

r1(config)#crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac

create an access-list to define interesting traffic:

access-list 101 permit ip

reverse this for the peer…

create a crypto map to match the access-list to the peers various ike and ipsec settings…

r1(config)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
r1(config-crypto-map)#match address 101
r1(config-crypto-map)#set peer
r1(config-crypto-map)#set pfs group5
r1(config-crypto-map)#set transform-set 50
r1(config-crypto-map)#set security-association lifetime seconds 900

assign the maps to the interfaces and send some traffic to light em up… (until traffic has been generated there will be no SA)

r3(config)#int s0/0
r3(config-if)#crypto map CMAP
*Mar 31 12:18:11.831: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

r3#sh crypto isakmp sa
dst             src             state          conn-id slot status


ping from the host makes it interesting… note the first one times out…


r1#sh crypto isakmp sa
dst             src             state          conn-id slot status        QM_IDLE              1    0 ACTIVE

r1#sh crypto ipsec sa

interface: Serial0/0
Crypto map tag: CMAP, local addr

protected vrf: (none)
local  ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (
current_peer port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.:, remote crypto endpt.:
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x7805C8A3(2013644963)

inbound esp sas:
spi: 0x6BB78A0B(1807190539)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4501618/613)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x7805C8A3(2013644963)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4501618/595)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas: