VPN shared key troubleshooting

irom77
Published:
Browse All Articles > VPN shared key troubleshooting
One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below.

A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0).

Loopback0---10.0.0.2---R1<-.2-f0/0---192.168.1/24---f1/1-.1->SW1---10.0.10.1--- Loopback0

I can’t ping loopback interfaces of these routers, see below 
 SW1#ping 10.0.0.2 source 10.0.10.1
                      Type escape sequence to abort.
                      Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
                      Packet sent with a source address of 10.0.10.1
                      .....
                      Success rate is 0 percent (0/5)

Open in new window

 R1#ping 10.0.10.1 source 10.0.0.2
                      Type escape sequence to abort.
                      Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
                      Packet sent with a source address of 10.0.0.2
                      .....
                      Success rate is 0 percent (0/5)

Open in new window

The configuration is simple and straightforward, see below: 
 R1#sh crypto map tag VPN
                      Crypto Map "VPN" 200 ipsec-isakmp
                              Peer = 192.168.1.1
                              Extended IP access list ACL
                                  access-list ACL permit ip 10.0.0.0 0.0.0.255 10.0.10.0 0.0.0.255
                              Current peer: 192.168.1.1
                              Security association lifetime: 4608000 kilobytes/3600 seconds
                              PFS (Y/N): N
                              Transform sets={
                                      SET,
                              }
                              Interfaces using crypto map VPN:
                                      FastEthernet0/0

Open in new window


 SW1#sh crypto map tag VPN
                      Crypto Map "VPN" 100 ipsec-isakmp
                              Peer = 192.168.1.2
                              Extended IP access list ACL
                                  access-list ACL permit ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255
                              Current peer: 192.168.1.2
                              Security association lifetime: 4608000 kilobytes/3600 seconds
                              PFS (Y/N): N
                              Transform sets={
                                      SET,
                              }
                              Interfaces using crypto map VPN:
                                      FastEthernet1/1

Open in new window


RIP is setup on both routers: 
 #sh run | section router
                      router rip
                       version 2
                       network 10.0.0.0
                       network 192.168.1.0
                       no auto-summary

Open in new window

See crypto configurations: 
 SW1#sh run | section crypto
                      crypto isakmp policy 20
                       authentication pre-share
                      crypto isakmp key cisco address 192.168.1.2
                      crypto ipsec transform-set SET esp-des esp-sha-hmac
                      crypto map VPN 100 ipsec-isakmp
                       set peer 192.168.1.2
                       set transform-set SET
                       match address ACL
                       crypto map VPN

Open in new window

 R1#sh run | section crypto
                      crypto isakmp policy 10
                       authentication pre-share
                      crypto isakmp key  cisco address 192.168.1.1
                      crypto ipsec transform-set SET esp-des esp-sha-hmac
                      crypto map VPN 200 ipsec-isakmp
                       set peer 192.168.1.1
                       set transform-set SET
                       match address ACL
                       crypto map VPN

Open in new window

And interfaces: 
 SW1#sh run int f1/1
                      Building configuration...
                      Current configuration : 102 bytes
                      !
                      interface FastEthernet1/1
                       no switchport
                       ip address 192.168.1.1 255.255.255.0
                       crypto map VPN
                      end

Open in new window

 R1#sh run int f0/0
                      Building configuration...
                      Current configuration : 112 bytes
                      !
                      interface FastEthernet0/0
                       ip address 192.168.1.2 255.255.255.0
                       duplex auto
                       speed auto
                       crypto map VPN
                      end

Open in new window

From R1 routing seems to be correct: 

 R1#sh ip route
                           10.0.0.0/24 is subnetted, 2 subnets
                      R       10.0.10.0 [120/1] via 192.168.1.1, 00:00:07, FastEthernet0/0
                      C       10.0.0.0 is directly connected, Loopback0
                      C    192.168.1.0/24 is directly connected, FastEthernet0/0

Open in new window

 R1#sh crypto isakmp sa
                      IPv4 Crypto ISAKMP SA
                      dst             src             state          conn-id slot status
                      IPv6 Crypto ISAKMP SA

Open in new window

I cannot ping SW1 loopback from R1 loopback: 
 R1#ping 10.0.10.1 source 10.0.0.2
                      Type escape sequence to abort.
                      Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
                      Packet sent with a source address of 10.0.0.2
                      .....
                      Success rate is 0 percent (0/5)

Open in new window


But Phase ‘I’ is not completed, see below: 
 R1#sh crypto isakmp sa
                      IPv4 Crypto ISAKMP SA
                      dst             src             state          conn-id slot status
                      192.168.1.1     192.168.1.2     MM_KEY_EXCH       1004    0 ACTIVE
                      IPv6 Crypto ISAKMP SA

Open in new window


Let's see debug of Phase I 
R1#ping 10.0.10.1 source 10.0.0.2
                      Type escape sequence to abort.
                      Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
                      Packet sent with a source address of 10.0.0.2
                      *Mar  1 00:42:59.127: ISAKMP:(0): SA request profile is (NULL)
                      *Mar  1 00:42:59.131: ISAKMP: Created a peer struct for 192.168.1.1, peer port 500
                      *Mar  1 00:42:59.135: ISAKMP: New peer created peer = 0x63B01638 peer_handle = 0x80000005
                      *Mar  1 00:42:59.139: ISAKMP: Locking peer struct 0x63B01638, refcount 1 for isakmp_initiator
                      *Mar  1 00:42:59.139: ISAKMP: local port 500, remote port 500
                      *Mar  1 00:42:59.143: ISAKMP: set new node 0 to QM_IDLE
                      *Mar  1 00:42:59.147: insert sa successfully sa = 64D7851C
                      *Mar  1 00:42:59.147: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
                      *Mar  1 00:42:59.151: ISAKMP:(0):found peer pre-shared key matching 192.168.1.1
                      *Mar  1 00:42:59.155: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
                      *Mar  1 00:42:59.159: ISAKMP:(0): constructed NAT-T vendor-07 ID
                      *Mar  1 00:42:59.163: ISAKMP:(0): constructed NAT-T vendor-03 ID
                      *Mar  1 00:42:59.163: ISAKMP:(0): constructed NAT-T vendor-02 ID
                      *Mar  1 00:42:59.167: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
                      *Mar  1 00:42:59.167: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
                      *Mar  1 00:42:59.171: ISAKMP:(0): beginning Main Mode exchange
                      *Mar  1 00:42:59.175: ISAKMP:(0): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
                      *Mar  1 00:42:59.179: ISAKMP:(0):Sending an IKE IPv4 Packet.
                      *Mar  1 00:42:59.287: ISAKMP (0:0): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
                      *Mar  1 00:42:59.295: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
                      *Mar  1 00:42:59.295: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
                      *Mar  1 00:42:59.347: ISAKMP:(0): processing SA payload. message ID. = 0
                      *Mar  1 00:42:59.347: ISAKMP:(0): processing vendor id payload
                      *Mar  1 00:42:59.351: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
                      *Mar  1 00:42:59.351: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
                      *Mar  1 00:42:59.355: ISAKMP:(0):found peer pre-shared key matching 192.168.1.1
                      *Mar  1 00:42:59.355: ISAKMP:(0): local preshared key found
                      *Mar  1 00:42:59.355: ISAKMP : Scanning profiles for xauth ...
                      *Mar  1 00:42:59.355: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
                      *Mar  1 00:42:59.355: ISAKMP:      encryption DES-CBC
                      *Mar  1 00:42:59.355: ISAKMP:      hash SHA
                      *Mar  1 00:42:59.355: ISAKMP:      default group 1
                      *Mar  1 00:42:59.355: ISAKMP:      auth pre-share
                      *Mar  1 00:42:59.355: ISAKMP:      life type in seconds
                      *Mar  1 00:42:59.355: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
                      *Mar  1 00:42:59.355: ISAKMP:(0):atts are acceptable. Next payload is 0
                      *Mar  1 00:42:59.355: ISAKMP:(0):Acceptable atts:actual life: 0
                      *Mar  1 00:42:59.355: ISAKMP:(0):Acceptable atts:life: 0
                      *Mar  1 00:42:59.355: ISAKMP:(0):Fill atts in sa vpi_length:4
                      *Mar  1 00:42:59.359: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
                      *Mar  1 00:42:59.359: ISAKMP:(0):Returning Actual lifetime: 86400
                      *Mar  1 00:42:59.363: ISAKMP:(0)::Started lifetime timer: 86400.
                      *Mar  1 00:42:59.363: ISAKMP:(0): processing vendor id payload
                      *Mar  1 00:42:59.367: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
                      *Mar  1 00:42:59.371: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
                      *Mar  1 00:42:59.371: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
                      *Mar  1 00:42:59.371: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
                      *Mar  1 00:42:59.371: ISAKMP:(0): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
                      *Mar  1 00:42:59.371: ISAKMP:(0):Sending an IKE IPv4 Packet.
                      *Mar  1 00:42:59.375: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
                      *Mar  1 00:42:59.375: ISAKMP:(0):Old State = IKE_I_M.M2  New State = IKE_I_MM3
                      *Mar  1 00:42:59.523: ISAKMP (0:0): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
                      *Mar  1 00:42:59.527: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
                      *Mar  1 00:42:59.531: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
                      *Mar  1 00:42:59.543: ISAKMP:(0): processing KE payload. message ID = 0
                      *Mar  1 00:42:59.635: ISAKMP:(0): processing NONCE payload. message ID = 0
                      *Mar  1 00:42:59.635: ISAKMP:(0):found peer pre-shared key matching 192.168.1.1
                      *Mar  1 00:42:59.635: ISAKMP:(1004): processing vendor id payload
                      *Mar  1 00:42:59.635: ISAKMP:(1004): vendor ID is Unity
                      *Mar  1 00:42:59.635: ISAKMP:(1004): processing vendor id payload
                      *Mar  1 00:42:59.635: ISAKMP:(1004): vendor ID is DPD
                      *Mar  1 00:42:59.635: ISAKMP:(1004): processing vendor id payload
                      *Mar  1 00:42:59.635: ISAKMP:(1004): speaking to another IOS box!
                      *Mar  1 00:42:59.635: ISAKMP:received payload type 20
                      *Mar  1 00:42:59.635: ISAKMP:received payload type 20
                      *Mar  1 00:42:59.635: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
                      *Mar  1 00:42:59.635: ISAKMP:(1004):Old State = IKE_I_MM4  New State = IKE_I_MM4
                      *Mar  1 00:42:59.635: ISAKMP:(1004):Send initial contact
                      *Mar  1 00:42:59.635: ISAKMP:(1004):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
                      *Mar  1 00:42:59.635: ISAKMP (0:1004): ID payload
                              next-payload : 8
                              type         : 1
                              address      : 192.168.1.2
                              protocol     : 17
                              port         : 500
                              length       : 12
                      *Mar  1 00:42:59.635: ISAKMP:(1004):Total payload length: 12
                      *Mar  1 00:42:59.635: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
                      *Mar  1 00:42:59.635: ISAKMP:(1004):Sending an IKE IPv4 Packet.
                      *Mar  1 00:42:59.639: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
                      *Mar  1 00:42:59.639: ISAKMP:(1004):Old State = IKE_I_MM4  New State = IKE_I_MM5
                      *Mar  1 00:43:00.743: ISAKMP (0:1004): received packe.t from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
                      *Mar  1 00:43:00.747: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
                      *Mar  1 00:43:00.751: ISAKMP:(1004): retransmitting due to retransmit phase 1
                      *Mar  1 00:43:01.251: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
                      *Mar  1 00:43:01.251: ISAKMP (0:1004): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
                      *Mar  1 00:43:01.255: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
                      *Mar  1 00:43:01.259: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
                      *Mar  1 00:43:01.263: ISAKMP:(1004):Sending an IKE IPv4 Packet...
                      Success rate is 0 percent (0/5)
                      R1#
                      *Mar  1 00:43:11.267: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
                      *Mar  1 00:43:11.271: ISAKMP (0:1004): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
                      *Mar  1 00:43:11.271: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
                      *Mar  1 00:43:11.275: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
                      *Mar  1 00:43:11.279: ISAKMP:(1004):Sending an IKE IPv4 Packet.
                      *Mar  1 00:43:11.879: ISAKMP (0:1004): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
                      *Mar  1 00:43:11.883: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
                      R1#
                      *Mar  1 00:43:11.887: ISAKMP:(1004): retransmission skipped for phase 1 (time since last transmission 600)
                      R1#
                      *Mar  1 00:43:21.283: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
                      *Mar  1 00:43:21.287: ISAKMP (0:1004): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
                      *Mar  1 00:43:21.287: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
                      *Mar  1 00:43:21.291: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
                      *Mar  1 00:43:21.295: ISAKMP:(1004):Sending an IKE IPv4 Packet.
                      *Mar  1 00:43:21.927: ISAKMP (0:1004): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
                      *Mar  1 00:43:21.931: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
                      R1#
                      *Mar  1 00:43:21.935: ISAKMP:(1004): retransmission skipped for phase 1 (time since last transmission 632)
                      R1#
                      *Mar  1 00:43:29.127: ISAKMP: set new node 0 to QM_IDLE
                      *Mar  1 00:43:29.131: ISAKMP:(1004):SA is still budding. Attached new ipsec request to it. (local 192.168.1.2, remote 192.168.1.1)
                      *Mar  1 00:43:29.135: ISAKMP: Error while processing SA request: Failed to initialize SA
                      *Mar  1 00:43:29.135: ISAKMP: Error while processing KMI message 0, error 2.
                      R1#
                      *Mar  1 00:43:31.299: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
                      *Mar  1 00:43:31.303: ISAKMP (0:1004): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
                      *Mar  1 00:43:31.303: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
                      *Mar  1 00:43:31.307: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
                      *Mar  1 00:43:31.311: ISAKMP:(1004):Sending an IKE IPv4 Packet.
                      *Mar  1 00:43:31.851: ISAKMP (0:1004): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
                      *Mar  1 00:43:31.855: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
                      R1#
                      *Mar  1 00:43:31.859: ISAKMP:(1004): retransmission skipped for phase 1 (time since last transmission 540)
                      R1#
                      *Mar  1 00:43:41.315: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
                      *Mar  1 00:43:41.319: ISAKMP (0:1004): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
                      *Mar  1 00:43:41.319: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
                      *Mar  1 00:43:41.323: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
                      *Mar  1 00:43:41.327: ISAKMP:(1004):Sending an IKE IPv4 Packet.
                      R1#

Open in new window


 
The solution lays in the ISAKMP key. At first look keyword ‘cisco’ on both routers is exactly the same but look closer at these lines shows

R1 and SW1:
crypto isakmp key  cisco address 192.168.1.1
crypto isakmp key cisco address 192.168.1.2

that there is a space before it on Router R1
Let’s fix it and see what’s happen: 
 R1#conf t
                      Enter configuration commands, one per line.  End with CNTL/Z.
                      R1(config)#no crypto isakmp key  cisco address 192.168.1.1
                      R1(config)#crypto isakmp key "cisco" address 192.168.1.1

Open in new window

 R1#ping 10.0.10.1 source 10.0.0.2
                      Type escape sequence to abort.
                      Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
                      Packet sent with a source address of 10.0.0.2
                      .!!!!
                      Success rate is 80 percent (4/5), round-trip min/avg/max = 92/173/252 ms

Open in new window



 R1#sh crypto isakmp sa
                      IPv4 Crypto ISAKMP SA
                      dst             src             state          conn-id slot status
                      192.168.1.1     192.168.1.2     QM_IDLE           1006    0 ACTIVE
                      192.168.1.1     192.168.1.2     MM_NO_STATE       1005    0 ACTIVE (deleted)
                      IPv6 Crypto ISAKMP SA

Open in new window

 R1#sh crypto ipsec sa
                      interface: FastEthernet0/0
                          Crypto map tag: VPN, local addr 192.168.1.2
                         protected vrf: (none)
                         local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
                         remote ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
                         current_peer 192.168.1.1 port 500
                           PERMIT, flags={origin_is_acl,}
                          #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
                          #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

Open in new window

So it’s working now
0
18,611 Views

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.