What is Phase 1 and Phase 2 in VPN?
Diffie Hellman (DH) exchange options supported Show
Encryption algorithms supported
Triple Data Encryption Standard (3DES) with a security strength of 112 bits
Advanced Encryption Standard (AES) using cipher block chaining (CBC) with a security strength of 128 bits
AES using CBC with a security strength of 192 bits
AES using CBC with a security strength of 256 bits
AES using Counter with CBC-MAC (CCM) with a security strength of 128 bits
AES using Galois/Counter Mode (GCM) with a security strength of 128 bits
AES using GCM with a security strength of 256 bits
Data Encryption Standard (DES) with a security strength of 56 bits Authentication algorithms supported Phase 1 and Phase 2 settingsA VPN tunnel is established in two phases: Phase 1 and Phase 2. Several parameters determine how this is done. Except for IP addresses, the settings simply need to match at both VPN gateways. There are defaults that are appropriate for most cases. FortiClient distinguishes between Phase 1 and Phase 2 only in the VPN Advanced settings and uses different terms. Phase 1 is called the IKE Policy. Phase 2 is called the IPsec Policy. Phase 1In Phase 1, the two VPN gateways exchange information about the encryption algorithms that they support and then establish a temporary secure connection to exchange authentication information. When you configure your FortiGate unit or FortiClient application, you must specify the following settings for Phase 1:
All other Phase 1 settings have default values. These settings mainly configure the types of encryption to be used. The default settings on FortiGate units and in the FortiClient application are compatible. The examples in this guide use these defaults. For more detailed information about Phase 1 settings, see Phase 1 parameters. Phase 2Similar to the Phase 1 process, the two VPN gateways exchange information about the encryption algorithms that they support for Phase 2. You may choose different encryption for Phase 1 and Phase 2. If both gateways have at least one encryption algorithm in common, a VPN tunnel can be established. Keep in mind that more algorithms each phase does not share with the other gateway, the longer negotiations will take. In extreme cases this may cause timeouts during negotiations. To configure default Phase 2 settings on a FortiGate unit, you need only select the name of the corresponding Phase 1 configuration. In FortiClient, no action is required to enable default Phase 2 settings. For more detailed information about Phase 2 settings, see Phase 2 parameters. SITE TO SITE IPSEC VPN PHASE-1 AND PHASE-2 TROUBLESHOOTING STEPS , NEGOTIATIONS STATES AND MESSAGES MM_WAIT_MSG(Image Source – www.Techmusa.com) Network Troubleshooting is an art and site to site vpn Troubleshooting is one of my favorite network job.I believe other networking folks like the same. The first and most important step of troubleshooting is diagnosing the issue, isolate the exact issue without wasting time. In this article i wanted to describe the steps of Troubleshooting a site-to-site VPN tunnel, most of vpn appliances provide the Plenty of debugging information for engineer to diagnose the issue. I love to work on CLI (command line) and cisco Firewall is my favorite and have successfully created vpn tunnels including Cisco ASA, SonicWALL, Cyberoam, Checkpoint, Palo-Alto and lots more. As a network engineer, it doesn’t matter what vpn device you are using at each end of the vpn site. While creating vpn tunnels, we generally encounter common issue and as a set of rules’, there are basically few checks that you need to validate for when a tunnel fails to establish. There are Four most common issue we generally face while setting up vpn tunnel.
Most of time, the remote end tunnel may be configured by a different engineer, so ensure that Phase-1 and Phase-2 configuration should be identical of both side of the tunnel. It would be helpful if we can use a common vpn template and exchange the Phase-1 and Phase-2 SA (security associations) information between both parties before setting up the vpn tunnel. Phase 1 (ISAKMP) security associations fail The first step to take when Phase-1 of the tunnel not comes up. Make sure your encryption setting, authentication, hashes, and lifetime etc. should be same for both ends of the tunnel for the phase 1 proposal. Here’s a quick checklist of phase-1 (ISAKMP)
IPsec VPN Messages Type #MM_WAIT_MSGISAKMP (IKE Phase 1) Negotiations States and Messages MM_WAIT_MSGMM_WAIT_MSG2 – Initiator sent encryption, hashes and DH ( Diffie–Hellman) to responder and Awaiting initial reply from other end gateway. If Initiator stuck at MM_WAIT_MSG2 means the remote end is not responding to Initiator. This could be happening due to the following reason.
MM_WAIT_MSG3 – Initiator Received back its IKE policy to the Receiver. Initiator sends encryption, hash, DH and IKE policy details to create initial contact. Initiator will wait at MM_WAIT_MSG2 until it hears back from Receiver. Tunnel stuck at MM_WAIT_MSG3 due to the following reason.
MM_WAIT_MSG4
– Now the Initiator has received the IKE policy and sends the Pre-Shared-Key to Receiver. Now Initiator will stay at MM_WAIT_MSG4 until it gets a Pre-Shared-Key back from Receiver. If the receiver is does not have configured tunnel group or Pre-Shared-Key the initiator will stay at MM_WAIT_MSG4.
MM_WAIT_MSG5– Initiator Received its Pre-Shared-Key hash from Receiver. If receiver has a tunnel group and PSK configured for the initiators peer address, it sends its PSK hash to the initiator. If PSKs don’t match, receiver will stay at MM_WAIT_MSG5.There are following reason that tunnel stuck at MM_WAIT_MSG5
MM_WAIT_MSG6– Initiator see if Pre-Shared-Key hashes match. If Pre-Shared-Key match, Initiator state becomes MM_ACTIVE and acknowledge to receiver. If Pre-Shared-Key does not match, initiator stays at MM_WAIT_MSG6. There are following reason that tunnel stuck at MM_WAIT_MSG6
AM_ACTIVE – Receiver received MM_ACTIVE acknowledge from Initiator and it becomes MM_ACTIVE.ISAKMP SA negotiations are now completed and Phase 1 has successfully completed. Phase 2 (IPsec) security associations failOnce the Phase 1 negotiations have established and you are falling into IPsec phase 2. There are a few different set of things need to be checked.
After the above check and validation, Now If you have both phase 1 and phase 2 successful established and vpn tunnel is reported as up. Ensure traffic is passing through the vpn tunnel. Initiates some traffic (ICMP Traffic ) from inside the host or run packet tracer from firewall to originate traffic to bring the phase-2 up and see the Packet encap and Packet decap happing. VPN Tunnel is established, but traffic not passing throughIf the traffic not passing thru the vpn tunnel or packet #pkts encaps and #pkts decaps not happing as expected. These numbers tell us how many packets have traversed the IPSec tunnel and verifies that we are receiving traffic back from the remote end of the VPN tunnel. There is couple of things that you need to check.
Verify #pkts encaps and #pkts decaps All of the above steps should resolve vpn tunnel issues that you are experiencing. If the vpn tunnel still not establish and traffic not passing , We recommend to try a different set of encryption settings. There may be something strange incompatibilities issue encounters with different vendor devices. Also check the latest release notes for firmware version of your VPN appliance. (If you have already upgraded any firmware to the latest version). Finally, check the knowledgebase and get vendor inputs for your specific appliance as it may provide further suggestions/assistance. Intermittent vpn flapping and discontinuationSometimes it is crazy that vpn tunnel state is going up and down constantly and users getting frustrated due to connection drop with the servers. There are couple of reasons that vpn tunnel is getting dropped and it start all of sudden even you have not made any change in the vpn tunnel. In this case, you need to check following things listed as below -:
Phase 1 (IKEv1) and Phase 2 (IPsec) Configuration Steps-:Phase 1 (IKEv1) ConfigurationComplete the below mentioned steps for the Phase 1 configuration: In this example we are using CLI mode in order to enable IKEv1 on the outside interface:
Create an IKEv1 Phase-1 policy that defines the authentication , encryption , hashing, DH group(Diffie-Hellman) and lifetime
Phase 2 (IPsec) ConfigurationComplete these steps for the Phase 2 configuration:Create an access list which defines the traffic to be encrypted and through the tunnel. In this example, the source traffic of interesting subnet would be from the 172.16.100.0/24 subnet to the 192.168.10.0/24. It can contain multiple entries if there are multiple subnets involved between the sites.
Note -: In ASA Versions 8.4 and later, objects or object groups can be created for the networks, subnets, host IP addresses.Here we have Created two objects group that have the local and remote subnets and use them for both the crypto Access Control List (ACL) and the NAT statements.
NAT Exemption Or NO NAT
(Note -: Make sure that VPN traffic is not subjected to any other NAT rule.) Configure the IKEv1 Transform Set. Same an identical Transform Set must be created on the remote end as well.
Configure the crypto map, which contains the Following components:
Create a tunnel group under the IPsec attributes and configure the peer IP address and IPSec vpn tunnel pre-shared key
Apply the crypto map on the outside interface:
VPN Troubleshooting and Verification Command
RelatedWhat is the difference between IKE Phase 1 and 2?Phase 1 Security Associations are used to protect IKE messages that are exchanged between two IKE peers, or security endpoints. Phase 2 Security Associations are used to protect IP traffic, as specified by the security policy for a specific type of traffic, between two data endpoints.
What are the 2 modes of operation for IPsec?The IPsec standards define two distinct modes of IPsec operation, transport mode and tunnel mode. The modes do not affect the encoding of packets. The packets are protected by AH, ESP, or both in each mode.
What is the purpose of IKE Phase 1?The basic purpose of IKE phase 1 is to authenticate the IPSec peers and to set up a secure channel between the peers to enable IKE exchanges. IKE phase 1 performs the following functions: Authenticates and protects the identities of the IPSec peers.
What is a Phase 2 selector?The phase 2 selectors specify the IP addresses and netmasks of the source and destination subnets of the VPN. The phase 2 selectors are mandatory on the FortiGate-7000 and are used to make sure that all IPsec VPN traffic is sent to the primary (master) FPM.
|