One of the Top 10 common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below.
A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0).
Loopback0---10.0.0.2---R1<-.2-f0/0---192.168.1/24---f1/1-.1->SW1---10.0.10.1--- Loopback0
I can’t ping loopback interfaces of these routers, see below
SW1#ping 10.0.0.2 source 10.0.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 10.0.10.1
.....
Success rate is 0 percent (0/5)
1:
2:
3:
4:
5:
6:
Select allOpen in new window
R1#ping 10.0.10.1 source 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.2
.....
Success rate is 0 percent (0/5)
1:
2:
3:
4:
5:
6:
Select allOpen in new window
The configuration is simple and straightforward, see below:
R1#sh crypto map tag VPN
Crypto Map "VPN" 200 ipsec-isakmp
Peer = 192.168.1.1
Extended IP access list ACL
access-list ACL permit ip 10.0.0.0 0.0.0.255 10.0.10.0 0.0.0.255
Current peer: 192.168.1.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
SET,
}
Interfaces using crypto map VPN:
FastEthernet0/0
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
Select allOpen in new window
SW1#sh crypto map tag VPN
Crypto Map "VPN" 100 ipsec-isakmp
Peer = 192.168.1.2
Extended IP access list ACL
access-list ACL permit ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255
Current peer: 192.168.1.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
SET,
}
Interfaces using crypto map VPN:
FastEthernet1/1
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
Select allOpen in new window
RIP is setup on both routers:
#sh run | section router
router rip
version 2
network 10.0.0.0
network 192.168.1.0
no auto-summary
1:
2:
3:
4:
5:
6:
Select allOpen in new window
See crypto configurations:
SW1#sh run | section crypto
crypto isakmp policy 20
authentication pre-share
crypto isakmp key cisco address 192.168.1.2
crypto ipsec transform-set SET esp-des esp-sha-hmac
crypto map VPN 100 ipsec-isakmp
set peer 192.168.1.2
set transform-set SET
match address ACL
crypto map VPN
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
Select allOpen in new window
R1#sh run | section crypto
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 192.168.1.1
crypto ipsec transform-set SET esp-des esp-sha-hmac
crypto map VPN 200 ipsec-isakmp
set peer 192.168.1.1
set transform-set SET
match address ACL
crypto map VPN
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
Select allOpen in new window
And interfaces:
SW1#sh run int f1/1
Building configuration...
Current configuration : 102 bytes
!
interface FastEthernet1/1
no switchport
ip address 192.168.1.1 255.255.255.0
crypto map VPN
end
1:
2:
3:
4:
5:
6:
7:
8:
9:
Select allOpen in new window
R1#sh run int f0/0
Building configuration...
Current configuration : 112 bytes
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
crypto map VPN
end
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
Select allOpen in new window
From R1 routing seems to be correct:
R1#sh ip route
10.0.0.0/24 is subnetted, 2 subnets
R 10.0.10.0 [120/1] via 192.168.1.1, 00:00:07, FastEthernet0/0
C 10.0.0.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
1:
2:
3:
4:
5:
Select allOpen in new window
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
1:
2:
3:
4:
Select allOpen in new window
I cannot ping SW1 loopback from R1 loopback:
R1#ping 10.0.10.1 source 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.2
.....
Success rate is 0 percent (0/5)
1:
2:
3:
4:
5:
6:
Select allOpen in new window
But Phase ‘I’ is not completed, see below:
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.1 192.168.1.2 MM_KEY_EXCH 1004 0 ACTIVE
IPv6 Crypto ISAKMP SA
1:
2:
3:
4:
5:
Select allOpen in new window
Let's see debug of Phase I
R1#ping 10.0.10.1 source 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.2
*Mar 1 00:42:59.127: ISAKMP:(0): SA request profile is (NULL)
*Mar 1 00:42:59.131: ISAKMP: Created a peer struct for 192.168.1.1, peer port 500
*Mar 1 00:42:59.135: ISAKMP: New peer created peer = 0x63B01638 peer_handle = 0x80000005
*Mar 1 00:42:59.139: ISAKMP: Locking peer struct 0x63B01638, refcount 1 for isakmp_initiator
*Mar 1 00:42:59.139: ISAKMP: local port 500, remote port 500
*Mar 1 00:42:59.143: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:42:59.147: insert sa successfully sa = 64D7851C
*Mar 1 00:42:59.147: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar 1 00:42:59.151: ISAKMP:(0):found peer pre-shared key matching 192.168.1.1
*Mar 1 00:42:59.155: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 1 00:42:59.159: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 1 00:42:59.163: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar 1 00:42:59.163: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar 1 00:42:59.167: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 00:42:59.167: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 00:42:59.171: ISAKMP:(0): beginning Main Mode exchange
*Mar 1 00:42:59.175: ISAKMP:(0): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:42:59.179: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 1 00:42:59.287: ISAKMP (0:0): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 1 00:42:59.295: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:42:59.295: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Mar 1 00:42:59.347: ISAKMP:(0): processing SA payload. message ID. = 0
*Mar 1 00:42:59.347: ISAKMP:(0): processing vendor id payload
*Mar 1 00:42:59.351: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 1 00:42:59.351: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Mar 1 00:42:59.355: ISAKMP:(0):found peer pre-shared key matching 192.168.1.1
*Mar 1 00:42:59.355: ISAKMP:(0): local preshared key found
*Mar 1 00:42:59.355: ISAKMP : Scanning profiles for xauth ...
*Mar 1 00:42:59.355: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Mar 1 00:42:59.355: ISAKMP: encryption DES-CBC
*Mar 1 00:42:59.355: ISAKMP: hash SHA
*Mar 1 00:42:59.355: ISAKMP: default group 1
*Mar 1 00:42:59.355: ISAKMP: auth pre-share
*Mar 1 00:42:59.355: ISAKMP: life type in seconds
*Mar 1 00:42:59.355: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 00:42:59.355: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 1 00:42:59.355: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar 1 00:42:59.355: ISAKMP:(0):Acceptable atts:life: 0
*Mar 1 00:42:59.355: ISAKMP:(0):Fill atts in sa vpi_length:4
*Mar 1 00:42:59.359: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Mar 1 00:42:59.359: ISAKMP:(0):Returning Actual lifetime: 86400
*Mar 1 00:42:59.363: ISAKMP:(0)::Started lifetime timer: 86400.
*Mar 1 00:42:59.363: ISAKMP:(0): processing vendor id payload
*Mar 1 00:42:59.367: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 1 00:42:59.371: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Mar 1 00:42:59.371: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:42:59.371: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Mar 1 00:42:59.371: ISAKMP:(0): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar 1 00:42:59.371: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 1 00:42:59.375: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:42:59.375: ISAKMP:(0):Old State = IKE_I_M.M2 New State = IKE_I_MM3
*Mar 1 00:42:59.523: ISAKMP (0:0): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar 1 00:42:59.527: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:42:59.531: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Mar 1 00:42:59.543: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 1 00:42:59.635: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 1 00:42:59.635: ISAKMP:(0):found peer pre-shared key matching 192.168.1.1
*Mar 1 00:42:59.635: ISAKMP:(1004): processing vendor id payload
*Mar 1 00:42:59.635: ISAKMP:(1004): vendor ID is Unity
*Mar 1 00:42:59.635: ISAKMP:(1004): processing vendor id payload
*Mar 1 00:42:59.635: ISAKMP:(1004): vendor ID is DPD
*Mar 1 00:42:59.635: ISAKMP:(1004): processing vendor id payload
*Mar 1 00:42:59.635: ISAKMP:(1004): speaking to another IOS box!
*Mar 1 00:42:59.635: ISAKMP:received payload type 20
*Mar 1 00:42:59.635: ISAKMP:received payload type 20
*Mar 1 00:42:59.635: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:42:59.635: ISAKMP:(1004):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Mar 1 00:42:59.635: ISAKMP:(1004):Send initial contact
*Mar 1 00:42:59.635: ISAKMP:(1004):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 1 00:42:59.635: ISAKMP (0:1004): ID payload
next-payload : 8
type : 1
address : 192.168.1.2
protocol : 17
port : 500
length : 12
*Mar 1 00:42:59.635: ISAKMP:(1004):Total payload length: 12
*Mar 1 00:42:59.635: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 00:42:59.635: ISAKMP:(1004):Sending an IKE IPv4 Packet.
*Mar 1 00:42:59.639: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:42:59.639: ISAKMP:(1004):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Mar 1 00:43:00.743: ISAKMP (0:1004): received packe.t from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 00:43:00.747: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
*Mar 1 00:43:00.751: ISAKMP:(1004): retransmitting due to retransmit phase 1
*Mar 1 00:43:01.251: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
*Mar 1 00:43:01.251: ISAKMP (0:1004): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 1 00:43:01.255: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
*Mar 1 00:43:01.259: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 00:43:01.263: ISAKMP:(1004):Sending an IKE IPv4 Packet...
Success rate is 0 percent (0/5)
R1#
*Mar 1 00:43:11.267: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
*Mar 1 00:43:11.271: ISAKMP (0:1004): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar 1 00:43:11.271: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
*Mar 1 00:43:11.275: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 00:43:11.279: ISAKMP:(1004):Sending an IKE IPv4 Packet.
*Mar 1 00:43:11.879: ISAKMP (0:1004): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 00:43:11.883: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
R1#
*Mar 1 00:43:11.887: ISAKMP:(1004): retransmission skipped for phase 1 (time since last transmission 600)
R1#
*Mar 1 00:43:21.283: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
*Mar 1 00:43:21.287: ISAKMP (0:1004): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar 1 00:43:21.287: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
*Mar 1 00:43:21.291: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 00:43:21.295: ISAKMP:(1004):Sending an IKE IPv4 Packet.
*Mar 1 00:43:21.927: ISAKMP (0:1004): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 00:43:21.931: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
R1#
*Mar 1 00:43:21.935: ISAKMP:(1004): retransmission skipped for phase 1 (time since last transmission 632)
R1#
*Mar 1 00:43:29.127: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:43:29.131: ISAKMP:(1004):SA is still budding. Attached new ipsec request to it. (local 192.168.1.2, remote 192.168.1.1)
*Mar 1 00:43:29.135: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 1 00:43:29.135: ISAKMP: Error while processing KMI message 0, error 2.
R1#
*Mar 1 00:43:31.299: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
*Mar 1 00:43:31.303: ISAKMP (0:1004): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar 1 00:43:31.303: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
*Mar 1 00:43:31.307: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 00:43:31.311: ISAKMP:(1004):Sending an IKE IPv4 Packet.
*Mar 1 00:43:31.851: ISAKMP (0:1004): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 00:43:31.855: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
R1#
*Mar 1 00:43:31.859: ISAKMP:(1004): retransmission skipped for phase 1 (time since last transmission 540)
R1#
*Mar 1 00:43:41.315: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
*Mar 1 00:43:41.319: ISAKMP (0:1004): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar 1 00:43:41.319: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
*Mar 1 00:43:41.323: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 00:43:41.327: ISAKMP:(1004):Sending an IKE IPv4 Packet.
R1#
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
Select allOpen in new window
The solution lays in the ISAKMP key. At first look keyword ‘cisco’ on both routers is exactly the same but look closer at these lines shows
R1 and SW1:
crypto isakmp key cisco address 192.168.1.1
crypto isakmp key cisco address 192.168.1.2
that there is a space before it on Router R1
Let’s fix it and see what’s happen:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no crypto isakmp key cisco address 192.168.1.1
R1(config)#crypto isakmp key "cisco" address 192.168.1.1
1:
2:
3:
4:
Select allOpen in new window
R1#ping 10.0.10.1 source 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.2
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 92/173/252 ms
1:
2:
3:
4:
5:
6:
Select allOpen in new window
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.1 192.168.1.2 QM_IDLE 1006 0 ACTIVE
192.168.1.1 192.168.1.2 MM_NO_STATE 1005 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
1:
2:
3:
4:
5:
6:
Select allOpen in new window
R1#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: VPN, local addr 192.168.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
Select allOpen in new window
So it’s working now
