Advertisement

08.09.2004 at 09:15AM PDT, ID: 21087189
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.6

IPSec between Cisco VPN Concentrator 3005 and Cisco 2621 router

Asked by gpshute in Virtual Private Networking (VPN)

Tags:

Can anybody help me trouble shoot this IPSEc tunnel.

I am running IOS ver 11.3(2)XA4 on a Cisco 2621 router and Version 4.1.5 on my Cisco 3005 concentrator.

I have configured a LAN2LAN connection on the concentrator.
I am trying to use pre-shared keys ESP/MD5/HMAC-128 for authentication with 3DES-168 encryption and IKE-3DES-MD5 as an IKE proposal.

My concentrator is behind a PIX and teh outside address is using NAT.

Looking at the logs, it appears that phase II is failing. (unusual).

Here is the config from the router:

--------------------------------------------------
sh run
Building configuration...

Current configuration : 1369 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret <removed>
enable password <Removed>
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip audit po max-events 100
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ip$ec address <removed real address>
crypto isakmp key ip$ec address <Removed NAT address>
!
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
!
crypto map to_vpn 10 ipsec-isakmp
 set peer <removed NAT address>
 set transform-set to_vpn
 match address 101
!
!
!
!
interface FastEthernet0/0
 ip address <Removed outside address>
 speed auto
 full-duplex
 crypto map to_vpn
!
interface Serial0/0
 no ip address
 shutdown
 no fair-queue
!
interface FastEthernet0/1
 ip address 172.30.10.1 255.255.255.248
 speed auto
 full-duplex
!
interface Serial0/1
 no ip address
 shutdown
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 <removed default router>
!
!
access-list 101 permit ip 172.30.10.0 0.0.0.7 <removed remote LAN address> 0.0.255.255
dialer-list 1 protocol ip permit
!
!
voice-port 1/0/0
!
voice-port 1/0/1
!
voice-port 1/1/0
voice-port 1/1/1
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password <removed>
 login
!
!
end

----------------------------------------------------------------

Here is a debug from the router:

debug cryp isakmp
Crypto ISAKMP debugging is on
Router#debug cryp ipsec
Crypto IPSEC debugging is on
Router#term mon
Router#ping
Protocol [ip]:
Target IP address: <removed remote host>
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.30.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to <removed remote LAN>, timeout is 2 seconds:
Packet sent with a source address of 172.30.10.1

00:05:28: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= <Removed Local Address>, remote= <removed remote address>,
    local_proxy= 172.30.10.0/255.255.255.248/0/0 (type=4),
    remote_proxy= <removed remote LAN>/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xE6427210(3863114256), conn_id= 0, keysize= 0, flags= 0x400A
00:05:28: ISAKMP: received ke message (1/1)
00:05:28: ISAKMP (0:0): SA request profile is (NULL)
00:05:28: ISAKMP: local port 500, remote port 500
00:05:28: ISAKMP: set new node 0 to QM_IDLE      
00:05:28: ISAKMP: insert sa successfully sa = 82DB4AD8
00:05:28: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
00:05:28: ISAKMP: Looking for a matching key for <removed remote address> in default : suc
cess
00:05:28: ISAKMP (0:1): found peer pre-shared key matching <removed remote address>
00:05:28: ISAKMP (0:1): constructed NAT-T vendor-07 ID
00:05:28: ISAKMP (0:1): constructed NAT-T vendor-03 ID
00:05:28: ISAKMP (0:1): constructed NAT-T vendor-02 ID
00:05:28: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
00:05:28: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_I_MM1

00:05:28: ISAKMP (0:1): beginning Main Mode exchange.
00:05:28: ISAKMP (0:1): sending packet to <removed remote address> my_port 500 peer_port 5
00 (I) MM_NO_STATE....
Success rate is 0 percent (0/5)
Router#
00:05:38: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
00:05:38: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:05:38: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
00:05:38: ISAKMP (0:1): sending packet to <removed remote address> my_port 500 peer_port 5
00 (I) MM_NO_STATE
00:05:38: ISAKMP (0:1): received packet from <removed remote address> dport 500 sport 500
Global (I) MM_NO_STATE
00:05:38: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
00:05:38: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_I_MM2

00:05:38: ISAKMP (0:1): processing SA payload. message ID = 0
00:05:38: ISAKMP (0:1): processing vendor id payload
00:05:38: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123 mismatch
00:05:38: ISAKMP (0:1): vendor ID is NAT-T v2
00:05:38: ISAKMP (0:1): processing vendor id payload
00:05:38: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch
00:05:38: ISAKMP: Looking for a matching key for <removed remote address> in default : suc
cess
00:05:38: ISAKMP (0:1): found peer pre-shared key matching <removed remote address>
00:05:38: ISAKMP (0:1) local preshared key found
00:05:38: ISAKMP : Scanning profiles for xauth ...
00:05:38: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
00:05:38: ISAKMP:      encryption 3DES-CBC
00:05:38: ISAKMP:      hash MD5
00:05:38: ISAKMP:      default group 2
00:05:38: ISAKMP:      auth pre-share
00:05:38: ISAKMP:      life type in seconds
00:05:38: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
00:05:38: ISAKMP (0:1): atts are acceptable. Next payload is 0
00:05:39: ISAKMP (0:1): processing vendor id payload
00:05:39: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123 mismatch
00:05:39: ISAKMP (0:1): vendor ID is NAT-T v2
00:05:39: ISAKMP (0:1): processing vendor id payload
00:05:39: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch
00:05:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
00:05:39: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM2

00:05:39: ISAKMP (0:1): sending packet <removed remote address> my_port 500 peer_port 5
00 (I) MM_SA_SETUP
00:05:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
00:05:39: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM3

00:05:39: ISAKMP (0:1): received packet from <removed remote address> dport 500 sport 500
Global (I) MM_SA_SETUP
00:05:39: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
00:05:39: ISAKMP (0:1): Old State = IKE_I_MM3  New State = IKE_I_MM4

00:05:39: ISAKMP (0:1): processing KE payload. message ID = 0
00:05:39: ISAKMP (0:1): processing NONCE payload. message ID = 0
00:05:39: ISAKMP: Looking for a matching key for <removed remote address> in default : suc
cess
00:05:39: ISAKMP (0:1): found peer pre-shared key matching <removed remote address>
00:05:39: ISAKMP (0:1): SKEYID state generated
00:05:39: ISAKMP (0:1): processing vendor id payload
00:05:39: ISAKMP (0:1): vendor ID is Unity
00:05:39: ISAKMP (0:1): processing vendor id payload
00:05:39: ISAKMP (0:1): vendor ID seems Unity/DPD but major 175 mismatch
00:05:39: ISAKMP (0:1): vendor ID is XAUTH
00:05:39: ISAKMP (0:1): processing vendor id payload
00:05:39: ISAKMP (0:1): speaking to another IOS box!
00:05:39: ISAKMP (0:1): processing vendor id payload
00:05:39: ISAKMP (0:1): vendor ID seems Unity/DPD but major 4 mismatch
00:05:39: ISAKMP:received payload type 20
00:05:39: ISAKMP:received payload type 20
00:05:39: ISAKMP (0:1): NAT found, the node outside NAT
00:05:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
00:05:39: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM4

00:05:39: ISAKMP (0:1): Send initial contact
00:05:39: ISAKMP (0:1): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
00:05:39: ISAKMP (0:1): ID payload
      next-payload : 8
      type         : 1
      address      : <removed local address>
      protocol     : 17
      port         : 0
      length       : 12
00:05:39: ISAKMP (1): Total payload length: 12
00:05:39: ISAKMP (0:1): sending packet to <removed remote address> my_port 4500 peer_port
4500 (I) MM_KEY_EXCH
00:05:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
00:05:39: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM5

00:05:39: ISAKMP (0:1): received packet from <removed remote address> dport 4500 sport 450
0 Global (I) MM_KEY_EXCH
00:05:39: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
00:05:39: ISAKMP (0:1): Old State = IKE_I_MM5  New State = IKE_I_MM6

00:05:39: ISAKMP (0:1): processing ID payload. message ID = 0
00:05:39: ISAKMP (0:1): ID payload
      next-payload : 8
      type         : 1
      address      : <removed remote non-NATTED address of concentrator>
      protocol     : 17
      port         : 0
      length       : 12
00:05:39: ISAKMP (0:1): processing HASH payload. message ID = 0
00:05:39: ISAKMP:received payload type 17
00:05:39: ISAKMP (0:1): processing vendor id payload
00:05:39: ISAKMP (0:1): vendor ID is DPD
00:05:39: ISAKMP (0:1): SA authentication status:
      authenticated
00:05:39: ISAKMP (0:1): SA has been authenticated with <removed remote address>
00:05:39: ISAKMP (0:1): peer matches *none* of the profiles
00:05:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
00:05:39: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_I_MM6

00:05:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
00:05:39: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

00:05:39: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -2023064236
00:05:39: ISAKMP (0:1): sending packet to <removed remote address> my_port 4500 peer_port
4500 (I) QM_IDLE      
00:05:39: ISAKMP (0:1): Node -2023064236, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
00:05:39: ISAKMP (0:1): Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
00:05:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
00:05:39: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
 

00:05:39: ISAKMP (0:1): received packet from <removed remote address> dport 4500 sport 450
0 Global (I) QM_IDLE      
00:05:39: ISAKMP: set new node -1563502446 to QM_IDLE      
00:05:39: ISAKMP (0:1): processing HASH payload. message ID = -1563502446
00:05:39: ISAKMP:received payload type 18
00:05:39: ISAKMP (0:1): processing DELETE_WITH_REASON payload, message ID = -156
3502446, reason: Unknown delete reason!
00:05:39: ISAKMP (0:1): peer does not do paranoid keepalives.

00:05:39: ISAKMP (0:1): deleting SA reason "P1 delete notify (in)" state (I) QM_
IDLE       (peer 62.173.247.172) input queue 0
00:05:39: ISAKMP (0:1): deleting node -1563502446 error FALSE reason "informatio
nal (in) state 1"
00:05:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
00:05:39: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

00:05:39: ISAKMP (0:1): deleting SA reason "" state (I) QM_IDLE       (peer 62.1
73.247.172) input queue 0
00:05:39: ISAKMP (0:1): deleting node -2023064236 error FALSE reason ""
00:05:39: ISAKMP (0:1): deleting node -1563502446 error FALSE reason ""
00:05:39: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
00:05:39: ISAKMP (0:1): Old State = IKE_DEST_SA  New State = IKE_DEST_SA


Any Suggestions?

Thanks
GrahamStart Free Trial
[+][-]08.12.2004 at 10:41PM PDT, ID: 11790593

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.16.2004 at 08:20AM PDT, ID: 11811128

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08.16.2004 at 08:40AM PDT, ID: 11811403

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.18.2004 at 03:01AM PDT, ID: 11828891

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]04.08.2005 at 08:48AM PDT, ID: 13737499

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]12.27.2005 at 05:01PM PST, ID: 15559714

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 7-day free trial to view this Administrative Comment or ask the Experts your question.

 
[+][-]12.31.2005 at 08:35AM PST, ID: 15584302

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zone: Virtual Private Networking (VPN)
Tags: cisco
Sign Up Now!
Solution Provided By: Computer101
Participating Experts: 2
Solution Grade: A
 
 
 
Loading Advertisement...
20080716-EE-VQP-32