Cisco IKE Version 2 Site-to-site VPN using PSK

With ASA 8.4 coming out last week and supporting the long awaited IKEv2 I thought that I would knock up a quick VPN using pre-shared-keys

This is a very basic setup shown below.

Each router has a default route to the local ASA.

Each ASA had a default route to the opposing ASA.

Below are the relevant configurations

ASA Top

!- define crypto

acl access-list 100 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

!- define the IPSEC proposal used by IKEv2 (previously called transform set)

crypto ipsec ikev2 ipsec-proposal ike_prop1

protocol esp encryption 3des

protocol esp integrity md5

!- create a crypto map and call the crypto acl, set the peer ASA and reference the IPSEC proposal

crypto map mymap 10 match address 100

crypto map mymap 10 set peer 192.168.1.2

crypto map mymap 10 set ikev2 ipsec-proposal ike_prop1

!- apply crypto map to outside interface

crypto map mymap interface outside

!- create the IKEv2 policy, note prf sha is default

crypto ikev2 policy 10

encryption aes

integrity sha

group 5

prf sha

lifetime seconds 86400

!- enable IKEv2 on the outside interface

crypto ikev2 enable outside

!- enable cookie-challenge (more on this later) šŸ˜‰

crypto ikev2 cookie-challenge always

!- create tunnel-group, using psk for IKEv2

tunnel-group 192.168.1.2 type ipsec-l2l

tunnel-group 192.168.1.2 ipsec-attributes

ikev2 remote-authentication pre-shared-key cisco

ikev2 local-authentication pre-shared-key cisco

!

ASA Base

access-list 100 extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

crypto ipsec ikev2 ipsec-proposal ike_prop1

protocol esp encryption 3des

protocol esp integrity md5

crypto map mymap 10 match address 100

crypto map mymap 10 set peer 192.168.1.1

crypto map mymap 10 set ikev2 ipsec-proposal ike_prop1

crypto map mymap interface outside

crypto ikev2 policy 10

encryption aes

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev2 cookie-challenge always

tunnel-group 192.168.1.1 type ipsec-l2l

tunnel-group 192.168.1.1 ipsec-attributes

ikev2 remote-authentication pre-shared-key cisco

ikev2 local-authentication pre-shared-key cisco

!

Checking the Configuration

I created a capture on the outside interface of the Top ASA and kicked off a ping from 10.10.10.2 to 20.20.20.2. This caused the IKEv2 SA to form with AES, SHA and DH group 5, this can be seen below

base(config)# sh crypto ikev2 sa

IKEv2 SAs:

Session-id:4, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role

90413383 192.168.1.2/500 192.168.1.1/500 READY RESPONDER

Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 86400/1071 sec

Child sa: local selector 20.20.20.0/0 – 20.20.20.255/65535

remote selector 10.10.10.0/0 – 10.10.10.255/65535

ESP spi in/out: 0xe46612b/0x7005642

I purposely set the IPSEC proposal to be 3DES with MD5, this can be seen below.

base(config)# sh crypto ipsec sa

interface: outside

Crypto map tag: mymap, seq num: 10, local addr: 192.168.1.2

access-list 100 extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

local ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

current_peer: 192.168.1.1

#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3

#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.2/500, remote crypto endpt.: 192.168.1.1/500

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 07005642

current inbound spi : 0E46612B

inbound esp sas:

spi: 0x0E46612B (239493419)

transform: esp-3des esp-md5-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 16384, crypto-map: mymap

sa timing: remaining key lifetime (kB/sec): (3916799/27720)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x0000000F

outbound esp sas:

spi: 0x07005642 (117462594)

transform: esp-3des esp-md5-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 16384, crypto-map: mymap

sa timing: remaining key lifetime (kB/sec): (4331519/27720)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

As we implemented cookie-challenge for ALL connections, the Responder (in our case ASA Base), will respond to the 1st IKEv2 packet with a Notify Type of COOKIE, this can be found in RFC 5996

“Two expected attacks against IKE are state and CPU exhaustion, where the target is flooded with session initiation requests from forged IP addresses. These attacks can be made less effective if a responder uses minimal CPU and commits no state to an SA until it knows the initiator can receive packets at the address from which it claims to be sending them.

When a responder detects a large number of half-open IKE SAs, it SHOULD reply to IKE_SA_INIT requests with a response containing the COOKIE notification. The data associated with this notification MUST be between 1 and 64 octets in length (inclusive), and its generation is described later in this section. If the IKE_SA_INIT response includes the COOKIE notification, the initiator MUST then retry the IKE_SA_INIT request, and include the COOKIE notification containing the received data as the first payload, and all other payloads unchanged”

As we can see from the following capture, the second packet is the response from ASA Base with the Notify type of COOKIE and the data being, 00 00 00 00 fd 21 65 ac. ASA Top then responds with the Notify type of COOKIE and the data 00 00 00 00 fd 21 65 ac.

top(config)# sh cap cap1 decode

1576 packets captured

1: 09:51:40.083064 192.168.1.1.500 > 192.168.1.2.500: udp 458

ISAKMP Header

Initiator COOKIE: fb 19 76 ca e9 86 d5 00

Responder COOKIE: 00 00 00 00 00 00 00 00

Next Payload: IKEV2 SA PAYLOAD

Version: 2.0

Exchange Type: IKE_SA_INIT

Flags: (Initiator)

Reserved: 00

MessageID: 00000000

Length: 458

Payload IKEV2 SA PAYLOAD

Next Payload: IKEV2 KE PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 48

Payload Proposal

Next Payload: None

Critical Bit: OFF

Reserved: 00

Payload Length: 44

Proposal #: 1

Protocol-Id: PROTO_ISAKMP

SPI Size: 0

# of transforms: 4

Payload Transform

Next Payload: Transform

Critical Bit: OFF

Reserved: 00

Payload Length: 12

Transform Type: ENCR

Reserved: 00

Transform ID: ENCR_AES_CBC (12)

Key Length: 128

Payload Transform

Next Payload: Transform

Critical Bit: OFF

Reserved: 00

Payload Length: 8

Transform Type: PRF

Reserved: 00

Transform ID: PRF_HMAC_SHA1 (2)

Payload Transform

Next Payload: Transform

Critical Bit: OFF

Reserved: 00

Payload Length: 8

Transform Type: INTEG

Reserved: 00

Transform ID: AUTH_HMAC_SHA1_96 (2)

Payload Transform

Next Payload: None

Critical Bit: OFF

Reserved: 00

Payload Length: 8

Transform Type: DH

Reserved: 00

Transform ID: DH Group 5

Payload IKEV2 KE PAYLOAD

Next Payload: IKEV2 NONCE PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 200

DH Group #: 5

Reserved: 00

Data:

d3 0c 8a 9a f8 98 da 76 01 84 b4 55 fe 76 9a 25

6c d2 7e d6 32 cb 66 e5 62 78 16 ee 93 b9 01 30

d2 8e 83 c4 01 a1 c1 f5 80 ad 04 7f 0e 22 51 df

64 1d f3 1e 40 ff 10 68 42 a1 eb dc 7d 7f 17 01

b6 9e 6d 88 8c 3d b8 6b 28 ec 63 06 ba 41 63 73

8f 84 d4 25 33 9d 9f 9b 1f 4d d3 f2 a6 24 27 bf

3a 97 61 17 fc f4 32 11 62 60 b8 ab fe 51 fe 3f

0d 01 20 8b 27 55 cc 15 c1 b7 37 cb af 54 37 8a

3c 70 73 88 1e 30 f3 e8 32 08 c2 44 b6 43 3d 2f

e7 c9 59 b2 e1 d3 56 c7 9c 7d 83 c9 e1 a1 d1 31

23 f6 6c 25 3a 2b 0d 41 29 29 73 b2 ca f7 e0 1d

c4 0c 6b 1a 06 7f 0a ad 8d a7 37 9f 57 45 e7 59

Payload IKEV2 NONCE PAYLOAD

Next Payload: IKEV2 VENDOR PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 24

Data:

3b 23 30 17 4a b8 8f 7b 81 97 e0 c2 f3 87 74 6c

c9 fc 8d 9d

Payload IKEV2 VENDOR PAYLOAD

Next Payload: IKEV2 VENDOR PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 23

Data (In Hex):

43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41

53 4f 4e

Payload IKEV2 VENDOR PAYLOAD

Next Payload: IKEV2 NOTIFY PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 59

Data (In Hex):

43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29

26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32

30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d

73 2c 20 49 6e 63 2e

Payload IKEV2 NOTIFY PAYLOAD

Next Payload: IKEV2 NOTIFY PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 28

Protocol-ID: PROTO_ISAKMP

Spi Size: 0

Notify Type: NAT_DETECTION_SRC

Data:

65 ad 3e 10 ec 27 dc 75 cc 49 a5 41 64 a5 97 49

46 9b 7e 8c

Payload IKEV2 NOTIFY PAYLOAD

Next Payload: IKEV2 VENDOR PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 28

Protocol-ID: PROTO_ISAKMP

Spi Size: 0

Notify Type: NAT_DETECTION_DST

Data:

60 06 74 65 c3 11 79 3f 4c 3e 8b f2 fb cb fc 6d

92 30 51 23

Payload IKEV2 VENDOR PAYLOAD

Next Payload: None

Critical Bit: OFF

Reserved: 00

Payload Length: 20

Data (In Hex):

40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

2: 09:51:40.083873 192.168.1.2.500 > 192.168.1.1.500: udp 44

ISAKMP Header

Initiator COOKIE: fb 19 76 ca e9 86 d5 00

Responder COOKIE: 00 00 00 00 00 00 00 00

Next Payload: IKEV2 NOTIFY PAYLOAD

Version: 2.0

Exchange Type: IKE_SA_INIT

Flags: (Response)

Reserved: 00

MessageID: 00000000

Length: 44

Payload IKEV2 NOTIFY PAYLOAD

Next Payload: None

Critical Bit: OFF

Reserved: 00

Payload Length: 16

Protocol-ID: PROTO_ISAKMP

Spi Size: 0

Notify Type: COOKIE

Data: 00 00 00 00 fd 21 65 ac

3: 09:51:40.084330 192.168.1.1.500 > 192.168.1.2.500: udp 474

ISAKMP Header

Initiator COOKIE: fb 19 76 ca e9 86 d5 00

Responder COOKIE: 00 00 00 00 00 00 00 00

Next Payload: IKEV2 NOTIFY PAYLOAD

Version: 2.0

Exchange Type: IKE_SA_INIT

Flags: (Initiator)

Reserved: 00

MessageID: 00000000

Length: 474

Payload IKEV2 NOTIFY PAYLOAD

Next Payload: IKEV2 SA PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 16

Protocol-ID: PROTO_ISAKMP

Spi Size: 0

Notify Type: COOKIE

Data: 00 00 00 00 fd 21 65 ac

Payload IKEV2 SA PAYLOAD

Next Payload: IKEV2 KE PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 48

Payload Proposal

Next Payload: None

Critical Bit: OFF

Reserved: 00

Payload Length: 44

Proposal #: 1

Protocol-Id: PROTO_ISAKMP

SPI Size: 0

# of transforms: 4

Payload Transform

Next Payload: Transform

Critical Bit: OFF

Reserved: 00

Payload Length: 12

Transform Type: ENCR

Reserved: 00

Transform ID: ENCR_AES_CBC (12)

Key Length: 128

Payload Transform

Next Payload: Transform

Critical Bit: OFF

Reserved: 00

Payload Length: 8

Transform Type: PRF

Reserved: 00

Transform ID: PRF_HMAC_SHA1 (2)

Payload Transform

Next Payload: Transform

Critical Bit: OFF

Reserved: 00

Payload Length: 8

Transform Type: INTEG

Reserved: 00

Transform ID: AUTH_HMAC_SHA1_96 (2)

Payload Transform

Next Payload: None

Critical Bit: OFF

Reserved: 00

Payload Length: 8

Transform Type: DH

Reserved: 00

Transform ID: DH Group 5

Payload IKEV2 KE PAYLOAD

Next Payload: IKEV2 NONCE PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 200

DH Group #: 5

Reserved: 00

Data:

d3 0c 8a 9a f8 98 da 76 01 84 b4 55 fe 76 9a 25

6c d2 7e d6 32 cb 66 e5 62 78 16 ee 93 b9 01 30

d2 8e 83 c4 01 a1 c1 f5 80 ad 04 7f 0e 22 51 df

64 1d f3 1e 40 ff 10 68 42 a1 eb dc 7d 7f 17 01

b6 9e 6d 88 8c 3d b8 6b 28 ec 63 06 ba 41 63 73

8f 84 d4 25 33 9d 9f 9b 1f 4d d3 f2 a6 24 27 bf

3a 97 61 17 fc f4 32 11 62 60 b8 ab fe 51 fe 3f

0d 01 20 8b 27 55 cc 15 c1 b7 37 cb af 54 37 8a

3c 70 73 88 1e 30 f3 e8 32 08 c2 44 b6 43 3d 2f

e7 c9 59 b2 e1 d3 56 c7 9c 7d 83 c9 e1 a1 d1 31

23 f6 6c 25 3a 2b 0d 41 29 29 73 b2 ca f7 e0 1d

c4 0c 6b 1a 06 7f 0a ad 8d a7 37 9f 57 45 e7 59

Payload IKEV2 NONCE PAYLOAD

Next Payload: IKEV2 VENDOR PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 24

Data:

3b 23 30 17 4a b8 8f 7b 81 97 e0 c2 f3 87 74 6c

c9 fc 8d 9d

Payload IKEV2 VENDOR PAYLOAD

Next Payload: IKEV2 VENDOR PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 23

Data (In Hex):

43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41

53 4f 4e

Payload IKEV2 VENDOR PAYLOAD

Next Payload: IKEV2 NOTIFY PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 59

Data (In Hex):

43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29

26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32

30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d

73 2c 20 49 6e 63 2e

Payload IKEV2 NOTIFY PAYLOAD

Next Payload: IKEV2 NOTIFY PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 28

Protocol-ID: PROTO_ISAKMP

Spi Size: 0

Notify Type: NAT_DETECTION_SRC

Data:

65 ad 3e 10 ec 27 dc 75 cc 49 a5 41 64 a5 97 49

46 9b 7e 8c

Payload IKEV2 NOTIFY PAYLOAD

Next Payload: IKEV2 VENDOR PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 28

Protocol-ID: PROTO_ISAKMP

Spi Size: 0

Notify Type: NAT_DETECTION_DST

Data:

60 06 74 65 c3 11 79 3f 4c 3e 8b f2 fb cb fc 6d

92 30 51 23

Payload IKEV2 VENDOR PAYLOAD

Next Payload: None

Critical Bit: OFF

Reserved: 00

Payload Length: 20

Data (In Hex):

40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

4: 09:51:40.105081 192.168.1.2.500 > 192.168.1.1.500: udp 458

ISAKMP Header

Initiator COOKIE: fb 19 76 ca e9 86 d5 00

Responder COOKIE: e5 f5 3b 0f cc 0c ac 2a

Next Payload: IKEV2 SA PAYLOAD

Version: 2.0

Exchange Type: IKE_SA_INIT

Flags: (Response)

Reserved: 00

MessageID: 00000000

Length: 458

Payload IKEV2 SA PAYLOAD

Next Payload: IKEV2 KE PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 48

Payload Proposal

Next Payload: None

Critical Bit: OFF

Reserved: 00

Payload Length: 44

Proposal #: 1

Protocol-Id: PROTO_ISAKMP

SPI Size: 0

# of transforms: 4

Payload Transform

Next Payload: Transform

Critical Bit: OFF

Reserved: 00

Payload Length: 12

Transform Type: ENCR

Reserved: 00

Transform ID: ENCR_AES_CBC (12)

Key Length: 128

Payload Transform

Next Payload: Transform

Critical Bit: OFF

Reserved: 00

Payload Length: 8

Transform Type: PRF

Reserved: 00

Transform ID: PRF_HMAC_SHA1 (2)

Payload Transform

Next Payload: Transform

Critical Bit: OFF

Reserved: 00

Payload Length: 8

Transform Type: INTEG

Reserved: 00

Transform ID: AUTH_HMAC_SHA1_96 (2)

Payload Transform

Next Payload: None

Critical Bit: OFF

Reserved: 00

Payload Length: 8

Transform Type: DH

Reserved: 00

Transform ID: DH Group 5

Payload IKEV2 KE PAYLOAD

Next Payload: IKEV2 NONCE PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 200

DH Group #: 5

Reserved: 00

Data:

c5 de 31 07 02 e1 43 f8 2b 51 aa 3d 65 c7 01 9a

65 46 c8 56 49 d5 0d 84 28 b2 36 bc e3 e3 eb 18

4b 8e ee fa a1 d8 87 fc 3b 01 ab e7 5e 5e 96 ec

c9 bd d9 55 12 48 c6 c8 61 73 60 40 f9 b2 4b c2

ea 3d fe ef 66 55 14 1f 9b da bf 08 73 19 00 b1

aa 39 07 8f 70 c2 cc b8 55 1c de a3 21 82 87 e0

4d 31 11 cd 3d d1 90 08 0e b7 f0 20 c4 d0 0e 6d

e5 78 0a f0 51 ad e3 ea 22 ea e8 76 4b e9 ea fd

b1 54 6d aa 7b 85 f8 cd 3e e4 2c 1f 63 3e 4c 29

95 85 66 77 0c 88 96 95 7a f1 f3 76 76 b4 85 ae

bb c2 31 8f bb bd 5f 03 8f a5 77 77 89 4c c8 1c

30 2e 2f a0 ac 24 75 aa 59 b4 87 c0 c6 65 c8 48

Payload IKEV2 NONCE PAYLOAD

Next Payload: IKEV2 VENDOR PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 24

Data:

22 75 73 4a e8 64 83 d9 26 74 c0 7c 06 cd c3 35

d5 1d 4d 5f

Payload IKEV2 VENDOR PAYLOAD

Next Payload: IKEV2 VENDOR PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 23

Data (In Hex):

43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41

53 4f 4e

Payload IKEV2 VENDOR PAYLOAD

Next Payload: IKEV2 NOTIFY PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 59

Data (In Hex):

43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29

26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32

30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d

73 2c 20 49 6e 63 2e

Payload IKEV2 NOTIFY PAYLOAD

Next Payload: IKEV2 NOTIFY PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 28

Protocol-ID: PROTO_ISAKMP

Spi Size: 0

Notify Type: NAT_DETECTION_SRC

Data:

5e 33 c0 af 8a b8 38 b1 05 26 29 73 e4 ad cb ae

74 84 74 61

Payload IKEV2 NOTIFY PAYLOAD

Next Payload: IKEV2 VENDOR PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 28

Protocol-ID: PROTO_ISAKMP

Spi Size: 0

Notify Type: NAT_DETECTION_DST

Data:

32 f1 08 53 3f 36 f0 5b c0 3e bd 88 08 54 b5 95

f9 f0 8e 44

Payload IKEV2 VENDOR PAYLOAD

Next Payload: None

Critical Bit: OFF

Reserved: 00

Payload Length: 20

Data (In Hex):

40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

5: 09:51:40.125268 192.168.1.1.500 > 192.168.1.2.500: udp 268

ISAKMP Header

Initiator COOKIE: fb 19 76 ca e9 86 d5 00

Responder COOKIE: e5 f5 3b 0f cc 0c ac 2a

Next Payload: IKEV2 ENCRYPT PAYLOAD

Version: 2.0

Exchange Type: IKE_AUTH

Flags: (Initiator)

Reserved: 00

MessageID: 00000001

Length: 268

Payload IKEV2 ENCRYPT PAYLOAD

Next Payload: IKEV2 VENDOR PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 240

Data:

ef ff e9 17 92 ec 35 2f 2a b0 9b 94 d1 22 38 b4

8c ff 4f 48 8f 8a a1 e8 57 11 0f 93 72 4b 04 50

ff d1 19 40 8f 89 0b 5e f6 71 ad 51 a2 05 75 4b

eb 9a 10 bf cb 5a ac b9 98 70 18 5a 04 a2 63 fa

7d 87 00 71 d4 d8 6f 50 51 5a 2f 42 8c 76 a8 6e

41 19 af 2f f0 ab 6b 40 53 ad 46 93 8f d7 f4 6f

35 3d 77 8a 01 a0 77 e2 71 4b f3 0c a6 cc 4d b3

98 44 32 8b fc 7f d3 2c 10 b6 36 b5 da 9e 6a fa

29 6f 77 64 a2 f8 14 c3 21 f3 0b 41 80 76 d6 98

3b b3 1a 8d a0 08 1a 1f ba cd 55 66 8a c0 40 9c

6a b5 f5 a8 60 03 b2 6f 53 1e a3 92 44 65 49 3a

ee 6c 4c d2 4b b5 72 66 42 a8 3f e8 55 b7 ee de

89 c7 90 ff 08 6f 7a f2 86 6a b2 bd bf d5 fc 9b

ed af 57 f7 54 68 a8 f1 eb 3a 1d e7 38 96 bc 6c

51 bf dc e9 b9 be 58 c4 77 32 1a 4c

6: 09:51:40.127022 192.168.1.2.500 > 192.168.1.1.500: udp 236

ISAKMP Header

Initiator COOKIE: fb 19 76 ca e9 86 d5 00

Responder COOKIE: e5 f5 3b 0f cc 0c ac 2a

Next Payload: IKEV2 ENCRYPT PAYLOAD

Version: 2.0

Exchange Type: IKE_AUTH

Flags: (Response)

Reserved: 00

MessageID: 00000001

Length: 236

Payload IKEV2 ENCRYPT PAYLOAD

Next Payload: IKEV2 VENDOR PAYLOAD

Critical Bit: OFF

Reserved: 00

Payload Length: 208

Data:

86 89 1c 5d 31 36 ac 47 f4 3a 25 e3 70 b8 d3 64

e1 11 bf 34 7d da 84 6a 79 a7 b3 33 df 23 0f e4

48 ae 13 49 7b 31 19 05 5b f1 d9 e5 d6 f1 30 50

a1 40 a9 92 e9 6b 92 71 7d 06 05 e9 66 99 0a 25

de f4 9d 2d 72 9d a5 7a d5 6f 4d a3 eb a5 1e fa

91 69 f4 1f f0 9d 73 5e 35 6f 87 f0 83 96 ef ec

f8 b2 85 e0 22 9d e9 8d 90 7e 50 f7 2f ac 41 67

52 be 18 1d 6f a4 38 91 d2 22 a0 38 9c 70 3b e3

bb b1 df 24 b2 ab 2f d8 de 9e 30 46 48 58 1e fd

53 aa 06 7a 76 cb 44 b6 06 b3 ae 0d 01 20 1b 27

bc de 43 a6 e0 3d e5 be 79 a0 c1 90 89 0a b8 18

88 4a 2d 1e 58 d4 66 52 23 3a 9c 2b f4 c4 f8 ca

a1 05 bb 3a 91 a0 21 a6 44 a0 de 82

As you can see from the above capture, this is 6 packets, rather than the typical 4 for IKEv2. These additional two extra packets mitigate the risk of DOS attacks that any IKEv1 clients are vulnerable to.

On the Base ASA we see that the cookie challenge has been initiated on one connection, which was successful.

base(config)# sho crypto ikev2 stats

Global IKEv2 Statistics

Active Tunnels: 1

Previous Tunnels: 3

In Octets: 14826

In Packets: 159

In Drop Packets: 0

In Drop Fragments: 0

In Notifys: 26

In P2 Exchange: 150

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In IPSEC Delete: 0

In IKE Delete: 3

Out Octets: 14220

Out Packets: 159

Out Drop Packets: 0

Out Drop Fragments: 0

Out Notifys: 17

Out P2 Exchange: 150

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out IPSEC Delete: 0

Out IKE Delete: 0

SAs Locally Initiated: 0

SAs Locally Initiated Failed: 0

SAs Remotely Initiated: 4

SAs Remotely Initiated Failed: 0

System Capacity Failures: 1

Authentication Failures: 0

Decrypt Failures: 0

Hash Failures: 0

Invalid SPI: 0

In Configs: 0

Out Configs: 0

In Configs Rejects: 0

Out Configs Rejects: 0

Previous Tunnels: 3

Previous Tunnels Wraps: 0

In DPD Messages: 147

Out DPD Messages: 147

Out NAT Keepalives: 0

IKE Rekey Locally Initiated: 0

IKE Rekey Remotely Initiated: 0

CHILD Rekey Locally Initiated: 0

CHILD Rekey Remotely Initiated: 0

IKEV2 Call Admission Statistics

Max Active SAs: No Limit

Max In-Negotiation SAs: 252

Cookie Challenge Threshold: Always

Active SAs: 1

In-Negotiation SAs: 0

Incoming Requests: 5

Incoming Requests Accepted: 5

Incoming Requests Rejected: 0

Outgoing Requests: 0

Outgoing Requests Accepted: 0

Outgoing Requests Rejected: 0

Rejected Requests: 0

Rejected Over Max SA limit: 0

Rejected Low Resources: 0

Rejected Reboot In Progress: 0

Cookie Challenges: 1

Cookie Challenges Passed: 1

Cookie Challenges Failed: 0

I plan to write another post on cookie-challenge and how it overcomes the weakness of IKEv1.

Thanks

Graham

Comments 2

Leave a Reply

Your email address will not be published. Required fields are marked *