03 September, 2014

DMVPN IKE Call Admission Control (CAC)


The Call Admission Control for IKE feature describes the application of Call Admission Control (CAC) to the Internet Key Exchange (IKE) protocol in Cisco IOS software. CAC limits the number of simultaneous IKE and IPsec security associations (SAs) that is, calls to CAC that a router can establish.

CAC Protection
- In-Negotiation Limit
- SA Limit

Implementation:

 In-Negotiation Limit:
Rate Limiting for IKE Phase 1. Prevent IKE Phase 1 Negotiation from Hackers

 SA Limit:
In Our Lab in worst case we have 2 IKE phase tunnels between each device, each device has 6 IKE phase tunnels in this case.
If we configure the limit to 10 its prevents malicious connections. 
With this configuration we limit DOS Attacks and also malformed system from our devices. (Logic error or Software issues)

 ! Check EIGRP Routes
R2-Spoke#show ip route eigrp 
D        10.1.1.0/24 [90/27008000] via 172.16.0.1, 02:29:53, Tunnel0
D        10.3.3.0/24 [90/28288000] via 172.16.0.3, 02:28:34, Tunnel0
D        10.4.4.0/24 [90/28288000] via 172.16.0.4, 02:27:59, Tunnel0

 R2-Spoke#ping 10.1.1.1 source lo 0 
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2 
!!!!!  Success rate is 100 percent (5/5)

 R2-Spoke#ping 10.3.3.3 source lo 0 
Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2 
!!!!!  Success rate is 100 percent (5/5)

 R2-Spoke#ping 10.4.4.4 source lo 0 
Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2 
!!!!!  Success rate is 100 percent (5/5)

 ! Check IKE Phase 1 Security Associations (SA)
R2-Spoke#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
25.0.0.2        35.0.0.3        QM_IDLE           1002 ACTIVE 
35.0.0.3        25.0.0.2        QM_IDLE           1003 ACTIVE
45.0.0.4        25.0.0.2        QM_IDLE           1005 ACTIVE
25.0.0.2        45.0.0.4        QM_IDLE           1004 ACTIVE
15.0.0.1        25.0.0.2        QM_IDLE           1001 ACTIVE

 ! Check Default Configuration 
R2-Spoke#show crypto call admission statistics 
-----------------------------------------------------------------------
                 Crypto Call Admission Control Statistics
-----------------------------------------------------------------------
System Resource Limit:        0 Max IKE SAs:     0   Max in nego:  1000
Total IKE SA Count:           5 active:          5   negotiating:     0
Incoming IKE Requests:        2 accepted:        2   rejected:        0
Outgoing IKE Requests:        3 accepted:        3   rejected:        0
Rejected IKE Requests:        0 rsrc low:        0   SA limit:        0
IKE packets dropped at dispatch:        0

 ! Note:
Max IKE SAs:  0     =  Means that we don't use any limit
Max in nego:  1000  =  Means that we have Max Neg Num 1000, this is very high number.

 ! Note: The Security configuration only affects to new connections. not an ACTIVE  

 ! Set Rate Limit for SA 
R2-Spoke(config)#crypto call admission limit ike sa 10
R2-Spoke(config)#do show crypto call admission statistics | in Max
System Resource Limit:        0 Max IKE SAs:    10    Max in nego:  1000

 ! Note: We have 5 ACTIVE SA, If we configure to 2 the IOS generate log massage: 
R2-Spoke(config)#crypto call admission limit ike sa 2 
*Sep  3 17:41:31.399: %CRYPTO-4-IKE_SA_LIMIT: IKE active SA count is 5 but SA limit has been set to 2.

 ! Set Maximum number of in-negotiation IKE SAs allowed
R2-Spoke(config)#crypto call admission limit ike in-negotiation-sa 10
R2-Spoke(config)#do show crypto call admission statistics | in Max   
System Resource Limit:        0 Max IKE SAs:    10    Max in nego:    10

 ! Make Some Test to Check how its works.
! Reset Statistics 
R1-Hub(config)#in ser 1/0
R1-Hub(config-if)#shutdown 
R1-Hub(config-if)#do clear crypto isakmp 
R1-Hub(config-if)#do clear crypto sa 
! Do the same on all devices R2,R3,R4 and than make no shutdown 
R1-Hub(config-if)#no shutdown

 ! Set SA Limit to 2  (Allowed 2)
R2-Spoke(config)#crypto call admission limit ike sa 2

 ! Check EIGRP Routes
R2-Spoke(config)#do show ip route eigrp | in Tunn
D        10.1.1.0/24 [90/27008000] via 172.16.0.1, 00:04:34, Tunnel0
D        10.3.3.0/24 [90/28288000] via 172.16.0.3, 00:04:34, Tunnel0
D        10.4.4.0/24 [90/28288000] via 172.16.0.4, 00:04:34, Tunnel0

 ! Now do the ping to 10.4.4.4
R2-Spoke#ping 10.4.4.4 source lo 0 
Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2 
!!!!!   Success rate is 100 percent (5/5)
! Note: Its Generate log Message: 
*Sep  3 18:06:28.567: %CRYPTO-4-IKE_DENY_SA_REQ: IKE denied an OUTGOING SA request from 25.0.0.2 to 45.0.0.4 due to IKE SA LIMIT REACHED

 ! Check again Configured Limits and Statistics.
R2-Spoke(config)#do show crypto call admission statistics
-----------------------------------------------------------------------
                 Crypto Call Admission Control Statistics
-----------------------------------------------------------------------
System Resource Limit:        0 Max IKE SAs:     2   Max in nego:    10
Total IKE SA Count:           2 active:          2   negotiating:     0
Incoming IKE Requests:        3 accepted:        3   rejected:        0
Outgoing IKE Requests:        5 accepted:        4   rejected:        1
Rejected IKE Requests:        1 rsrc low:        0   SA limit:        1
IKE packets dropped at dispatch:        0

 ! Make ping to R3
R2-Spoke#ping 10.3.3.3 source lo 0             
Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2 
!!!!!    Success rate is 100 percent (5/5)
*Sep  3 18:12:35.883: %CRYPTO-4-IKE_DENY_SA_REQ: IKE denied an INCOMING SA request from 35.0.0.3 to 25.0.0.2 due to IKE SA LIMIT REACHED

 ! Note: The ping was successful, but we use R1 to Reach R3 (It not create Tunnel between R2 and R3, because of limit we have configured)

 R2-Spoke#traceroute 10.3.3.3 source lo 0
Tracing the route to 10.3.3.3
  1 172.16.0.1 108 msec 108 msec 84 msec    <-- R1
  2 172.16.0.3 172 msec 168 msec 72 msec    <-- R3

 R2-Spoke#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
25.0.0.2        45.0.0.4        QM_IDLE           1007 ACTIVE
15.0.0.1        25.0.0.2        QM_IDLE           1006 ACTIVE
IPv6 Crypto ISAKMP SA

 ! We have seen how its blocks not allowed connection, Now change the limit to 6 
R2-Spoke(config)#crypto call admission limit ike sa 6

 ! Make more pings to R3 and R4
R2-Spoke#ping 10.3.3.3 source lo 0
R2-Spoke#ping 10.4.4.4 source lo 0

 ! Check IKE SA Again 
R2-Spoke#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
25.0.0.2        35.0.0.3        QM_IDLE           1009 ACTIVE
35.0.0.3        25.0.0.2        QM_IDLE           1008 ACTIVE
25.0.0.2        45.0.0.4        QM_IDLE           1007 ACTIVE
15.0.0.1        25.0.0.2        QM_IDLE           1006 ACTIVE
At
Tags:: , , , , , , , , , , ,