Solve troubles when building VPN (2)

Last time, we introduced a solution to troubles that tend to occur when building VPN.Many of the causes of trouble are "the settings of each other are wrong" or "failed to connect to the Internet", and in most cases it can be solved by reviewing the settings in detail.

However, even if the settings are reviewed, the construction of VPN may fail.In such a case, the key to exploring the cause is "SA information".Therefore, this time, I will look at the SA information in detail.

What is SA information?

When establishing a VPN with IPsec, the router establishes a logical connection called SA with the telecommunications partner.SA is "Security Association", which manages security information such as keys and keys used in IPsec, encryption algorithms and authentication algorithms.

SA is established for each VPN traffic, and the ID is automatically shaken.Therefore, after the SA is established, the router performs VPN communication based on SA information.

In addition, SA itself has a lifespan according to the life of the key.The reason SA has a lifespan is that continuing to use the same encryption key increases the risk of leaking the cryptographic key.In other words, SA is updated regularly.

Check the existence of SA

First, let's look at the SA with the VPN established.The command is executed from the Router WebGui and performs it from the "Running Command" screen.When checking the existence of SA, execute the following command:

show ipsec sa

Then you will get the following response.

This item "SA" indicates the existence of SA.If you can see the existence of SA, the IPsec tunnel is established.In this case, there are six SAs.

In fact, the IPsec tunnel is established from three SAs.In the above case, the IPsec tunnel is composed of 1 to 3 SA.These three SAs play the following roles:

(1)鍵交換用SA(ISAKMP SA)

At the time of VPN settings, three routers have been set for each other: "Certification key", "authentication algorithm", and "encryption algorithm".Using these, key creation information is exchanged by each other's router.If the interactive key creation information is correct, "ISAKMP SA" is established.

(2)データ送信SA(IPsec SA send)

When the data to be communicated in VPN occurs, a negotiation is performed to establish an IPsec SA.Establish IPSEC SA using ISAKMP SA created in (1).IPsec SA is separate for transmission and reception, and is one -way.In addition, IPsec SA disappears after a certain period of time.

(3)データ受信SA(IPsec SA recv)

It is acceptable at IPsec SA made in the same way as (2).

Check the contents of SA

Let's look at the contents of SA.When checking the contents of the SA, execute the following command:

show ipsec sa gateway 1 detail

Then you will get the following response.

You can see that each SA has an algorithm and key.A mutual router where the VPN connection is established, that is, the established IPsec tunnel has SA with the same value.

When VPN connection is not established

A state in which VPN connection is established is, that is, a SA that contains the same value in each other's router.Conversely, if the VPN has not been established, the SA of either router has been lost at least.

For example, if you restart the router, the SA will disappear.Still, the other router tries to reconnect.At this time, if the SA is not set to create a new SA, the VPN connection will not be established because the SA will not be recreated.The following command is to enable SA automatic updates if the SA is not found.

ipsec auto refresh on

In addition, there is an IKE keep alive as a function to detect key replacement failures.It is used to detect the failure of the IPsec tunnel, and monitors whether it is possible to communicate with the connected router.

ipsec ike keepalive use 1 on

If you set them in "ON", the IPsec tunnel will be recreated when SA is lost, so it seems that you can deal with troubles that cannot be established for VPN connections.

In addition, there are the following commands.As I mentioned earlier, a state where VPN has not been established refers to the case where the SA of either router has disappeared.So, let's issue a command that extends the life of SA or recreates SA.

SAを削除する

ipsec sa delete all

ISAKMP SAの寿命を設定する

ipsec ike duration isakmp-sa 1 691200

IPsec SAの寿命を設定する

ipsec ike duration ipsec-sa 1 691200

This time, I explained about the SA that made up the IPsec tunnel.It is very important to know SA when understanding the mechanism of IPsec VPN.

Next time, we will talk about the maintenance of networks starting after building VPN.The work that is at the center of maintenance is "visualization".Introducing the visualization of the network using LAN maps mounted on Yamaharta.