index_172
Router Security Configuration Guide
UNCLASSIFIED
172
UNCLASSIFIED
Version 1.0g
collectively remove the unwanted information. The EXEC mode commands clear
crypto sa or clear crypto isa commands, and the global configuration mode
command no crypto ipsec sa, all tailored to the specific peer devices involved,
will remove the unwanted information.
2. Make sure the routers have mirror access lists
The Cisco IOS IPSec code can get easily confused when the access lists, which are
engaged by the crypto maps to determine what packets are protected using the IPSec
tunnel, are not mirror images of each other. In our example above, we can see that the
access lists used by both North and Remote are mirror images since they both involve
using the any option to indicate that all protocol packets, with source and destination
addresses each behind one of the routers, get protected. On the other hand, if we only
want to protect packets to/from a LAN behind the Remote router (IP address
7.0.0.1/24) with anyone behind the East router (IP address 14.2.1.20/16), then the
following access lists on Remote and North would satisfy the mirror access list
requirement and should allow for the tunnel to be constructed between North and
Remote.
On North:
access-list 101 permit ip 14.2.1.20 0.0.255.255 7.0.0.1 0.0.0.255
On Remote:
access-list 102 permit ip 7.0.0.1 0.0.0.255 14.2.1.20 0.0.255.255
3. Turning on the debug commands to observe the routers IPSec negotiation
It can be very helpful to run both the debug crypto ipsec and the debug crypto
isakmp commands, which can be entered while the router is in privileged EXEC
mode. (Note: If the routers establishing the IPSec tunnel are not currently
operational, turning on full debugging using the debug all command supplies even
more diagnostic information. Full debugging imposes too great a load to be practical
for operational routers.) The debugging messages will allow the network
administrator to observe how the local router is processing the remote routers IPSec
packets during the tunnel negotiation, and determine exactly where the negotiations
are failing. Below is a list of the North routers output when these two debug
commands were turned on. (Note: These debug options were run at different times,
but both were on while the IPSec tunnel was being constructed.)
North# debug crypto isakmp
Crypto ISAKMP debugging is on
North# ping 7.12.1.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.12.1.20, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max =
32/33/36 ms