ASA EzVPN Server With PSK PDF

CCIE Security V4 Technology Labs Section 7:
Confidentiality and Secure Access
ASA EzVPN Server with PSK

Last updated: May 20, 2013
Note:
For this task, you can use the configuration files that resulted from completing the
previous task, or you can load the Section 7 Initial Configuration Files to initialize your
rack.
Task
Configure ASA4 to accept remote VPN connections from Cisco Easy VPN Clients using a group
named EZVPN-ASA:
Use 3DES/MD5 as the cipher/hash for IPSec Phase1/Phase2.
Use address pool 21.0.0.0/24 to allocate IP addresses for remote clients, and push the
DNS server IP address of 136.1.100.101 to the clients.
Allow for split-tunneling to network 136.1.18.0/24.
Remote users should be authenticated using the name CISCO-ASA and the password
CISCO1234.
Ensure that this user is only allowed to log in under the group EZVPN-ASA.
Configuration
ASA4:
crypto isakmp enable VLAN38

crypto isakmp policy 100
authentication pre-share
encryption 3des
hash md5
group 2
!
vpn-addr-assign local
ip local pool EZVPN-ASA 21.0.0.1-21.0.0.254
!
access-list SPLIT_TUNNEL standard permit 136.1.18.0 255.255.255.0
!
username CISCO-ASA password CISCO1234
username CISCO-ASA attributes
group-lock value EZVPN-ASA
!
!
group-policy EZVPN-ASA internal
group-policy EZVPN-ASA attributes
vpn-tunnel-protocol IPSec
address-pools value EZVPN-ASA
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
dns-server value 136.1.100.101
!
!
tunnel-group EZVPN-ASA type remote-access
tunnel-group EZVPN-ASA general-attributes
authentication-server-group LOCAL
default-group-policy EZVPN-ASA
!
tunnel-group EZVPN-ASA ipsec-attributes
pre-shared-key CISCO
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYNAMIC 100 set transform-set 3DES_MD5
crypto dynamic-map DYNAMIC 100 set reverse-route
crypto map VPN 100 ipsec-isakmp dynamic DYNAMIC
crypto map VPN interface VLAN38
!
router eigrp 111
redistribute static metric 100000 100 255 1 1500
The configuration above is for ASA code 8.2.x. Beginning with code 8.3, multiple IPsec-related
commands have changed with the addition of IKEv2. You can still use the old commands, although
hidden. ASA will automatically convert to the new format.
ASA4:
crypto ikev1 enable VLAN38

crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash md5
group 2
!
vpn-addr-assign local
ip local pool EZVPN-ASA 21.0.0.1-21.0.0.254
!
access-list SPLIT_TUNNEL standard permit 136.1.18.0 255.255.255.0
!
username CISCO-ASA password CISCO1234
username CISCO-ASA attributes
group-lock value EZVPN-ASA
!
!
group-policy EZVPN-ASA internal
group-policy EZVPN-ASA attributes
vpn-tunnel-protocol ikev1
address-pools value EZVPN-ASA
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
dns-server value 136.1.100.101
!
!
tunnel-group EZVPN-ASA type remote-access
tunnel-group EZVPN-ASA general-attributes
authentication-server-group LOCAL
default-group-policy EZVPN-ASA
!
tunnel-group EZVPN-ASA ipsec-attributes
ikev1 pre-shared-key CISCO
!
crypto ipsec ikev1 transform-set 3DES_MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYNAMIC 100 set ikev1 transform-set 3DES_MD5
crypto dynamic-map DYNAMIC 100 set reverse-route
crypto map VPN 100 ipsec-isakmp dynamic DYNAMIC
crypto map VPN interface VLAN38
!
router eigrp 111
redistribute static metric 100000 100 255 1 1500
Verification
Connect to the Test PC and create a new connection for ASA4
Issue one debug crypto ikev1 64 on the ASA and initiate the connection from the Test PC.
When the connection is established, review the Cisco VPN Client statistics window to inspect the
negotiated IP address and algorithms.
Also review the Route details tab to inspect the split-tunneling configuration.
Generate traffic over the tunnel and verify packet statistics again.
Verify the VPN connection on the ASA.
Rack1ASA4# show vpn-sessiondb ra-ikev1-ipsec filter name CISCO-ASA

Session Type: IKEv1 IPsec
Username
: CISCO-ASA
Assigned IP : 21.0.0.1
Index
:4
Public IP
: 136.1.38.3
Protocol
: IKEv1 IPsecOverNatT
License
: Other VPN
Encryption
: 3DES
Hashing
: MD5
Bytes Tx
:0
Bytes Rx
:0
Group Policy : EZVPN-ASA
Tunnel Group : EZVPN-ASA
Login Time
: 02:58:12 UTC Mon May 13 2013
Duration
: 0h:00m:25s
Inactivity
: 0h:00m:00s
NAC Result
: Unknown
VLAN Mapping : N/A
VLAN
: none
On the ASA side, during the connection process, it receives an IKE AM message with the the
group ID, based on which the EzVPN server selects the tunnel-group EZVPN-ASA.
[IKEv1]IP = 136.1.38.3, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR

+ SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13
) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
[IKEv1 DEBUG]IP = 136.1.38.3, processing SA payload
[IKEv1 DEBUG]IP = 136.1.38.3, processing ke payload
[IKEv1 DEBUG]IP = 136.1.38.3, processing ISA_KE payload
[IKEv1 DEBUG]IP = 136.1.38.3, processing nonce payload
[IKEv1 DEBUG]IP = 136.1.38.3, processing ID payload
[IKEv1 DEBUG]IP = 136.1.38.3, processing VID payload
[IKEv1 DEBUG]IP = 136.1.38.3, Received xauth V6 VID
[IKEv1 DEBUG]IP = 136.1.38.3, Received DPD VID
[IKEv1 DEBUG]IP = 136.1.38.3, Received Fragmentation VID
[IKEv1 DEBUG]IP = 136.1.38.3, IKE Peer included IKE fragmentation capability flag
s: Main Mode:
True Aggressive Mode: False

[IKEv1 DEBUG]IP = 136.1.38.3, Received NAT-Traversal ver 02 VID
[IKEv1 DEBUG]IP = 136.1.38.3, Received Cisco Unity client VID
[IKEv1]IP = 136.1.38.3, Connection landed on tunnel_group EZVPN-ASA
At this point, the EzVPN server attempts to find a matching entry in the local ISAKMP policy
database. After this, the server performs authentication and generates a response packet.
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, processing IKE SA payload

[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, IKE SA Proposal # 1, Transform #
10 acceptable Matches global IKE entry # 1
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, constructing ISAKMP SA payload
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, constructing ke payload
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, constructing nonce payload
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, Generating keys for Responder...
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, constructing ID payload
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, constructing hash payload
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, Computing hash for ISAKMP
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, constructing Cisco Unity VID pay
load
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, constructing xauth V6 VID payloa
d
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, constructing dpd vid payload
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, constructing NAT-Traversal VID v
er 02 payload
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, constructing NAT-Discovery paylo
ad
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, computing NAT Discovery hash
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, constructing NAT-Discovery paylo
ad
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, constructing Fragmentation VID +
extended capabilities payload
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, constructing VID payload
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, Send Altiga/Cisco VPN3000/Cisco
ASA GW VID
Notice the rich payload in the response packet: in addition to the selected SA, it contains the key
exchange payload and various VENDOR payload, plus the NAT-D payload.
[IKEv1]IP = 136.1.38.3, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR

+ SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13)
+ NONE (0) total length : 428
The client responds, ending the IKE AM Phase 1. At this point, both devices may determine if any
is behind NAT.
[IKEv1]IP = 136.1.38.3, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR

+ HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13)
+ NONE (0) total length : 156
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, processing hash payload
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, Computing hash for ISAKMP
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, processing notify payload
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, processing NAT-Discovery payload
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, processing NAT-Discovery payload
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, processing VID payload
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, Processing IOS/PIX Vendor ID pay
load (version: 1.0.0, capabilities: 00000408)
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, processing VID payload
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, Received Cisco Unity client VID
[IKEv1]Group = EZVPN-ASA, IP = 136.1.38.3, Automatic NAT Detection Status:
mote end
IS
behind a NAT device
This
Re
end is NOT behind a NAT device
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, constructing blank hash payload

[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, constructing qm hash payload
The XAUTH phase takes place at this point.
[IKEv1]IP = 136.1.38.3, IKE_DECODE SENDING Message (msgid=a62bf863) with payloads

: HDR + HASH (8) + ATTR (14) + NONE (0) total length : 68
[IKEv1]IP = 136.1.38.3, IKE_DECODE RECEIVED Message (msgid=a62bf863) with payload
s : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 86
After XAUTH is successful, the EzVPN server determines what Mode Config attributes will be sent
to the client based on the group policy configuration.
[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, process_attr(): Enter!

[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, Processing MODE_CFG Reply attrib
utes.
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, IKEGetUser
Attributes: primary DNS = 136.1.100.101
Attributes: secondary DNS = cleared
Attributes: primary WINS = cleared
Attributes: secondary WINS = cleared
Attributes: split tunneling list = SPLIT_TUNNEL
Attributes: IP Compression = disabled
Attributes: Split Tunneling Policy = Split Network
Attributes: Browser Proxy Setting = no-modify
Attributes: Browser Proxy Bypass Local = disable
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, User (CISCO-ASA)
authenticated.
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, constructi
ng blank hash payload
ng qm hash payload
The next two IKE packets are for XAUTH successful confirmation from the EzVPN server and
XAUTH acknowledgment from the EzVPN client.
[IKEv1]IP = 136.1.38.3, IKE_DECODE SENDING Message (msgid=cf218734) with payloads

[IKEv1]IP = 136.1.38.3, IKE_DECODE RECEIVED Message (msgid=cf218734) with payload
At this point, the EzVPN client requests Mode Config attributes from the EzVPN server.
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, process_at

tr(): Enter!
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Processing
cfg ACK attributes
[IKEv1]IP = 136.1.38.3, IKE_DECODE RECEIVED Message (msgid=acf7a701) with payload

[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, process_at
tr(): Enter!
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Processing
cfg Request attributes
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, MODE_CFG:
Received request for IPV4 address!
Received request for IPV4 net mask!
Received request for DNS server address!
Received request for WINS server address!
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Received unsuppo
rted transaction mode attribute: 5
Received request for Banner!
Received request for Save PW setting!
Received request for Default Domain Name!
Received request for Split Tunnel List!
Received request for Split DNS!
Received request for PFS setting!
Received request for Client Browser Proxy Setting!
Received request for backup ip-sec peer list!
Received request for Client Smartcard Removal Disconnect Setting!
Received request for Application Version!
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Client Type: Win
NT Client Application Version: 5.0.07.0410
Received request for FWTYPE!
Received request for DHCP hostname for DDNS is: WIN7-1!
The EzVPN server allocates an IUP address from the configured pool and sends it to the client,
along with all other attributes; the client also negotiates DPD.
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Obtained I

P addr (21.0.0.1) prior to initiating Mode Cfg (XAuth enabled)
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Assigned private
IP address 21.0.0.1 to remote user
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Send Clien
t Browser Proxy Attributes!
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Browser Pr
oxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg rep
ly
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Send Cisco
Smartcard Removal Disconnect enable!!
ng qm hash payload
[IKEv1]IP = 136.1.38.3, IKE_DECODE SENDING Message (msgid=acf7a701) with payloads
[IKEv1 DECODE]IP = 136.1.38.3, IKE Responder starting QM: msg id = d46883e5
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Delay Quic
k Mode processing, Cert/Trans Exch/RM DSID in progress
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Resume Qui
ck Mode processing, Cert/Trans Exch/RM DSID completed
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, PHASE 1 COMPLETE
D
[IKEv1]IP = 136.1.38.3, Keep-alive type for this connection: DPD
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Starting P
1 rekey timer: 82080 seconds.
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, sending no
tify message
ng qm hash payload
[IKEv1]IP = 136.1.38.3, IKE_DECODE SENDING Message (msgid=50172a0c) with payloads
: HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 88
At this point, the EzVPN client initiates IPsec Phase Quick Mode negotiations.
[IKEv1]IP = 136.1.38.3, IKE_DECODE RECEIVED Message (msgid=d46883e5) with payload

s : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total lengt
h : 1022
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, processing
hash payload
SA payload
nonce payload
ID payload
[IKEv1 DECODE]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, ID_IPV4_A
DDR ID received
21.0.0.1
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Received remote
Proxy Host data in ID Payload: Address 21.0.0.1, Protocol 0, Port 0
ID payload
[IKEv1 DECODE]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, ID_IPV4_A
DDR_SUBNET ID received--0.0.0.0--0.0.0.0
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Received local I
P Proxy Subnet data in ID Payload:
Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, P
ort 0
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, QM IsRekeyed old
sa not found by addr
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Selecting
only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT
-Traversal
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, IKE Remote Peer
configured for crypto map: DYNAMIC
IPSec SA payload
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, IPSec SA P
roposal # 11, Transform # 1 acceptable Matches global IPSec SA entry # 100
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, IKE: requesting
SPI!
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, IKE got SP
I from key engine: SPI = 0xaa3df74e
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, oakley con
stucting quick mode
ng IPSec SA payload
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Overriding Initi
ator's IPSec rekeying duration from 2147483 to 28800 seconds
ng IPSec nonce payload
ng proxy ID
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Transmitti
ng Proxy Id:
Remote host: 21.0.0.1 Protocol 0 Port 0
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0

[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Sending RE
SPONDER LIFETIME notification to Initiator
ng qm hash payload
[IKEv1 DECODE]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, IKE Respo
nder sending 2nd QM pkt: msg id = d46883e5
Here we have the final two messages in Quick-Mode exchange. After the SA has been established,
the EzVPN server injects a reverse-route in the local routing table.
[IKEv1]IP = 136.1.38.3, IKE_DECODE SENDING Message (msgid=d46883e5) with payloads

: HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0
) total length : 176
[IKEv1]IP = 136.1.38.3, IKE_DECODE RECEIVED Message (msgid=d46883e5) with payload
s : HDR + HASH (8) + NONE (0) total length : 48
hash payload
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, loading al
l IPSEC SAs
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Generating
Quick Mode Key!
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, NP encrypt
rule look up for crypto map DYNAMIC 100 matching ACL Unknown: returned cs_id=2e1
57ef0; rule=00000000
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Generating
Quick Mode Key!
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, NP encrypt
rule look up for crypto map DYNAMIC 100 matching ACL Unknown: returned cs_id=2e1
57ef0; rule=00000000
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Security negotia
tion complete for User (CISCO-ASA) Responder, Inbound SPI = 0xaa3df74e, Outbound
SPI = 0xfc131995
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, IKE got a
KEY_ADD msg for SA: SPI = 0xfc131995
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Pitcher: r
eceived KEY_UPDATE, spi 0xaa3df74e
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Starting P
2 rekey timer: 27360 seconds.
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Adding static ro
ute for client address: 21.0.0.1
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, PHASE 2 COMPLETE
D (msgid=d46883e5)

ASA EzVPN Server With PSK PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ASA EzVPN Server With PSK PDF

Uploaded by

Copyright:

Available Formats

CCIE Security V4 Technology Labs Section 7:

Confidentiality and Secure Access

ASA EzVPN Server with PSK

crypto isakmp enable VLAN38

crypto ikev1 enable VLAN38

Connect to the Test PC and create a new connection for ASA4

Verify the VPN connection on the ASA.

Rack1ASA4# show vpn-sessiondb ra-ikev1-ipsec filter name CISCO-ASA

Group Policy : EZVPN-ASA

Tunnel Group : EZVPN-ASA

: 02:58:12 UTC Mon May 13 2013

VLAN Mapping : N/A

[IKEv1]IP = 136.1.38.3, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR

True Aggressive Mode: False

[IKEv1 DEBUG]IP = 136.1.38.3, processing VID payload

[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, processing IKE SA payload

[IKEv1]IP = 136.1.38.3, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR

[IKEv1]IP = 136.1.38.3, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR

behind a NAT device

end is NOT behind a NAT device

[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, constructing blank hash payload

The XAUTH phase takes place at this point.

[IKEv1]IP = 136.1.38.3, IKE_DECODE SENDING Message (msgid=a62bf863) with payloads

[IKEv1 DEBUG]Group = EZVPN-ASA, IP = 136.1.38.3, process_attr(): Enter!

[IKEv1]IP = 136.1.38.3, IKE_DECODE SENDING Message (msgid=cf218734) with payloads

[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, process_at

[IKEv1]IP = 136.1.38.3, IKE_DECODE RECEIVED Message (msgid=acf7a701) with payload

[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Obtained I

[IKEv1]IP = 136.1.38.3, IKE_DECODE RECEIVED Message (msgid=d46883e5) with payload

Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, P

Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0

[IKEv1]IP = 136.1.38.3, IKE_DECODE SENDING Message (msgid=d46883e5) with payloads

You might also like