By Manny FernandezLets start with a little primer on IPSec. I am going to describe some concepts of IPSec VPNs.
Authentication Header or AH – The AH protocol provides authentication service only. AH provides data integrity, data origin authentication, and an optional replay protection service. AH authenticates IP headers and their payloads, with the exception of certain header fields that can be legitimately changed in transit, such as the Time To Live (TTL) field.
Encapsulating Security Payload or ESP – The ESP protocol provides data confidentiality by using encryption and authentication (data integrity, data origin authentication, and replay protection). ESP can be used with confidentiality only, authentication only, or both confidentiality and authentication. When ESP provides authentication functions, it uses the same algorithms as AH, but the coverage is different. AH-style authentication authenticates the entire IP packet, including the outer IP header, while the ESP authentication mechanism authenticates only the IP datagram portion of the IP packet.
Transport Mode – Transport Mode provides a secure connection between two endpoints as it encapsulates IP's payload.
Tunnel Mode – Tunnel Mode encapsulates the entire IP packet to provide a virtual "secure hop" between two gateways.
Main Mode – Main mode requires six packets back and forth, but affords complete security during the establishment of an IPsec connection.
Aggressive mode – The fallacy is that this is better since it is "aggressive" however, Aggressive mode uses half the exchanges providing a bit less security because some information is transmitted in cleartext. If you get audited, they WILL ding you on this. Remote access IPSec VPNs use aggressive mode.
Internet Key Exchange or IKE – Is the mechanism by which the two devices exchange the keys.
Phase I – The purpose of phase 1 is to establish a secure channel for control plane traffic. The result of a successful phase 1 operation is the establishment of an ISAKMP SA which is then used to encrypt and verify all further IKE communications. Phase 1 can operate in two modes: main and aggressive.
Phase II – IKE phase 2 establishes IPSec SAs (one in each direction) for the VPN connection, and is referred to as Quick Mode. At the conclusion of phase 2 each peer will be ready to pass data plane traffic through the VPN. Quick mode consists of 3 messages sent between peers (with an optional 4th message). All messages in phase 2 are secured using the ISAKMP SA established in phase 1.
diag debug app ike -1
diag debug enable
diagnose vpn ike restart
diagnose vpn ike gateway clear
Lets get started
I have created a VPN in my lab and I will break it at different points and identify it on the output of the debug commands.
The first example, we are going to look at non-matching pre-shared keys
I will break down the sections:
possible pre-shared secret mismatch
In this example, I left ONLY AES-128 SHA256 while the remote firewall had the AES-128 SHA256 removed causing a mismatch.
AES-128 and SHA-256
Next screen shot for more output
no SA proposal chosen
In this section, I removed PFS on one side of the VPN.
In this output, we can see:
In this output, we do not see a specific PFS error, but normally in Phase II these are the following situations you will find:
In route-based VPNs we normally use 0.0.0.0/0 as the Phase II selectors. Because of this, you would not see this error. However if not:
Here we can see:
Hope this helps.
diag debug app ike -1 diag debug enable
diagnose vpn ike restart diagnose vpn ike gateway clear