New Training: Debugging for IPsec Tunnels

In this 8-video skill, CBT Nuggets trainer Keith Barker describes and demonstrates the configuration and verification of DMVPN. Watch this new Cisco training.

Watch the full course: Implementing and Operating Cisco Security Core Technologies

This training includes:

• 8 videos

• 39 minutes of training

You’ll learn these topics in this skill:

• Introduction to Debugging IPsec

• Overview of IPsec Options

• Troubleshooting Tips for IPsec

• IKEv1, Phase 1, Missing Routes

• IKEv1, Phase 1, Bad Config

• IKEv1, Phase 2 Bad Config

• IKEv2 Troubleshooting

• Summary Troubleshooting IPsec

How to Set Up an IPSec Tunnel Using IKEv1 and IKEv2

The process of setting up an IPsec tunnel can use either IKEv1 or IKEv2. "IKE" stands for "Internet Key Exchange" and is used to provide confidentiality, integrity, and authentication.

Here are the all steps in the IKEv1 process:

1. Both routers negotiate and agree on a set of parameters, including authentication type, encryption key, hashing algorithm, and Diffie-Hellman group.

2. An access control list (ACL) is created that governs the traffic going from one network to the other.

3. One of three methods is used for peer authentication: defining a pre-shared key, RSA signature, or RSA encrypted nonces.

4. Peers exchange transform sets, which are combinations of protocols and algorithms that endorse security policies for governing traffic.

5. A crypto map is created that combines all of the policies into a cohesive set while establishing the IP address of the remote peer.

6. The crypto map is then applied to the traffic interface.

7. The configuration is verified.

Here are the all steps in the IKEv2 process:

1. A keyring defining the pre-shared key is created, initiating the ISP1 router to connect with the remote peer.

2. An IKEv2 proposal negotiates the IKA SAs by defining various parameters.

3. The IKEv2 policy is defined.

4. Peers exchange transform sets, which are combinations of protocols and algorithms that endorse security policies for governing traffic.

5. An access control list (ACL) is created that governs the traffic going from one network to the other.

6. An IKEv2 profile is defined, followed by a crypto map which is attached to the profile.

7. The crypto map is applied and the configuration is verified.

The primary advantage IKEv2 provides over IKEv1 is efficiency. The seven steps outlined in IKEv1 require exchanging six messages in main mode to establish a tunnel, while the seven steps in IKEv2 can be exchanged in four.