<

Go Premium for a chance to win a PS4. Enter to Win

x

VPN shared key troubleshooting

Published on
17,617 Points
11,617 Views
Last Modified:
One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below.

A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0).

Loopback0---10.0.0.2---R1<-.2-f0/0---192.168.1/24---f1/1-.1->SW1---10.0.10.1--- Loopback0

I can’t ping loopback interfaces of these routers, see below
 SW1#ping 10.0.0.2 source 10.0.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 10.0.10.1
.....
Success rate is 0 percent (0/5) 

Open in new window

 R1#ping 10.0.10.1 source 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.2
.....
Success rate is 0 percent (0/5) 

Open in new window

The configuration is simple and straightforward, see below:
 R1#sh crypto map tag VPN
Crypto Map "VPN" 200 ipsec-isakmp
        Peer = 192.168.1.1
        Extended IP access list ACL
            access-list ACL permit ip 10.0.0.0 0.0.0.255 10.0.10.0 0.0.0.255
        Current peer: 192.168.1.1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                SET,
        }
        Interfaces using crypto map VPN:
                FastEthernet0/0

Open in new window


 SW1#sh crypto map tag VPN
Crypto Map "VPN" 100 ipsec-isakmp
        Peer = 192.168.1.2
        Extended IP access list ACL
            access-list ACL permit ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255
        Current peer: 192.168.1.2
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                SET,
        }
        Interfaces using crypto map VPN:
                FastEthernet1/1

Open in new window


RIP is setup on both routers:
 #sh run | section router
router rip
 version 2
 network 10.0.0.0
 network 192.168.1.0
 no auto-summary

Open in new window

See crypto configurations:
 SW1#sh run | section crypto
crypto isakmp policy 20
 authentication pre-share
crypto isakmp key cisco address 192.168.1.2
crypto ipsec transform-set SET esp-des esp-sha-hmac
crypto map VPN 100 ipsec-isakmp
 set peer 192.168.1.2
 set transform-set SET
 match address ACL
 crypto map VPN

Open in new window

 R1#sh run | section crypto
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key  cisco address 192.168.1.1
crypto ipsec transform-set SET esp-des esp-sha-hmac
crypto map VPN 200 ipsec-isakmp
 set peer 192.168.1.1
 set transform-set SET
 match address ACL
 crypto map VPN

Open in new window

And interfaces:
 SW1#sh run int f1/1
Building configuration...
Current configuration : 102 bytes
!
interface FastEthernet1/1
 no switchport
 ip address 192.168.1.1 255.255.255.0
 crypto map VPN
end

Open in new window

 R1#sh run int f0/0
Building configuration...
Current configuration : 112 bytes
!
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 duplex auto
 speed auto
 crypto map VPN
end

Open in new window

From R1 routing seems to be correct:

 R1#sh ip route
     10.0.0.0/24 is subnetted, 2 subnets
R       10.0.10.0 [120/1] via 192.168.1.1, 00:00:07, FastEthernet0/0
C       10.0.0.0 is directly connected, Loopback0
C    192.168.1.0/24 is directly connected, FastEthernet0/0

Open in new window

 R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
IPv6 Crypto ISAKMP SA

Open in new window

I cannot ping SW1 loopback from R1 loopback:
 R1#ping 10.0.10.1 source 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.2
.....
Success rate is 0 percent (0/5) 

Open in new window


But Phase ‘I’ is not completed, see below:
 R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.1.1     192.168.1.2     MM_KEY_EXCH       1004    0 ACTIVE
IPv6 Crypto ISAKMP SA

Open in new window


Let's see debug of Phase I
R1#ping 10.0.10.1 source 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.2
*Mar  1 00:42:59.127: ISAKMP:(0): SA request profile is (NULL)
*Mar  1 00:42:59.131: ISAKMP: Created a peer struct for 192.168.1.1, peer port 500
*Mar  1 00:42:59.135: ISAKMP: New peer created peer = 0x63B01638 peer_handle = 0x80000005
*Mar  1 00:42:59.139: ISAKMP: Locking peer struct 0x63B01638, refcount 1 for isakmp_initiator
*Mar  1 00:42:59.139: ISAKMP: local port 500, remote port 500
*Mar  1 00:42:59.143: ISAKMP: set new node 0 to QM_IDLE
*Mar  1 00:42:59.147: insert sa successfully sa = 64D7851C
*Mar  1 00:42:59.147: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar  1 00:42:59.151: ISAKMP:(0):found peer pre-shared key matching 192.168.1.1
*Mar  1 00:42:59.155: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar  1 00:42:59.159: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar  1 00:42:59.163: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar  1 00:42:59.163: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar  1 00:42:59.167: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 00:42:59.167: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
*Mar  1 00:42:59.171: ISAKMP:(0): beginning Main Mode exchange
*Mar  1 00:42:59.175: ISAKMP:(0): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 00:42:59.179: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar  1 00:42:59.287: ISAKMP (0:0): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar  1 00:42:59.295: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:42:59.295: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
*Mar  1 00:42:59.347: ISAKMP:(0): processing SA payload. message ID. = 0
*Mar  1 00:42:59.347: ISAKMP:(0): processing vendor id payload
*Mar  1 00:42:59.351: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar  1 00:42:59.351: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Mar  1 00:42:59.355: ISAKMP:(0):found peer pre-shared key matching 192.168.1.1
*Mar  1 00:42:59.355: ISAKMP:(0): local preshared key found
*Mar  1 00:42:59.355: ISAKMP : Scanning profiles for xauth ...
*Mar  1 00:42:59.355: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Mar  1 00:42:59.355: ISAKMP:      encryption DES-CBC
*Mar  1 00:42:59.355: ISAKMP:      hash SHA
*Mar  1 00:42:59.355: ISAKMP:      default group 1
*Mar  1 00:42:59.355: ISAKMP:      auth pre-share
*Mar  1 00:42:59.355: ISAKMP:      life type in seconds
*Mar  1 00:42:59.355: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Mar  1 00:42:59.355: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar  1 00:42:59.355: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar  1 00:42:59.355: ISAKMP:(0):Acceptable atts:life: 0
*Mar  1 00:42:59.355: ISAKMP:(0):Fill atts in sa vpi_length:4
*Mar  1 00:42:59.359: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Mar  1 00:42:59.359: ISAKMP:(0):Returning Actual lifetime: 86400
*Mar  1 00:42:59.363: ISAKMP:(0)::Started lifetime timer: 86400.
*Mar  1 00:42:59.363: ISAKMP:(0): processing vendor id payload
*Mar  1 00:42:59.367: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar  1 00:42:59.371: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Mar  1 00:42:59.371: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:42:59.371: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
*Mar  1 00:42:59.371: ISAKMP:(0): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar  1 00:42:59.371: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar  1 00:42:59.375: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:42:59.375: ISAKMP:(0):Old State = IKE_I_M.M2  New State = IKE_I_MM3
*Mar  1 00:42:59.523: ISAKMP (0:0): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar  1 00:42:59.527: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:42:59.531: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
*Mar  1 00:42:59.543: ISAKMP:(0): processing KE payload. message ID = 0
*Mar  1 00:42:59.635: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar  1 00:42:59.635: ISAKMP:(0):found peer pre-shared key matching 192.168.1.1
*Mar  1 00:42:59.635: ISAKMP:(1004): processing vendor id payload
*Mar  1 00:42:59.635: ISAKMP:(1004): vendor ID is Unity
*Mar  1 00:42:59.635: ISAKMP:(1004): processing vendor id payload
*Mar  1 00:42:59.635: ISAKMP:(1004): vendor ID is DPD
*Mar  1 00:42:59.635: ISAKMP:(1004): processing vendor id payload
*Mar  1 00:42:59.635: ISAKMP:(1004): speaking to another IOS box!
*Mar  1 00:42:59.635: ISAKMP:received payload type 20
*Mar  1 00:42:59.635: ISAKMP:received payload type 20
*Mar  1 00:42:59.635: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:42:59.635: ISAKMP:(1004):Old State = IKE_I_MM4  New State = IKE_I_MM4
*Mar  1 00:42:59.635: ISAKMP:(1004):Send initial contact
*Mar  1 00:42:59.635: ISAKMP:(1004):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar  1 00:42:59.635: ISAKMP (0:1004): ID payload
        next-payload : 8
        type         : 1
        address      : 192.168.1.2
        protocol     : 17
        port         : 500
        length       : 12
*Mar  1 00:42:59.635: ISAKMP:(1004):Total payload length: 12
*Mar  1 00:42:59.635: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  1 00:42:59.635: ISAKMP:(1004):Sending an IKE IPv4 Packet.
*Mar  1 00:42:59.639: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:42:59.639: ISAKMP:(1004):Old State = IKE_I_MM4  New State = IKE_I_MM5
*Mar  1 00:43:00.743: ISAKMP (0:1004): received packe.t from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar  1 00:43:00.747: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
*Mar  1 00:43:00.751: ISAKMP:(1004): retransmitting due to retransmit phase 1
*Mar  1 00:43:01.251: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
*Mar  1 00:43:01.251: ISAKMP (0:1004): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar  1 00:43:01.255: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
*Mar  1 00:43:01.259: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  1 00:43:01.263: ISAKMP:(1004):Sending an IKE IPv4 Packet...
Success rate is 0 percent (0/5)
R1#
*Mar  1 00:43:11.267: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
*Mar  1 00:43:11.271: ISAKMP (0:1004): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar  1 00:43:11.271: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
*Mar  1 00:43:11.275: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  1 00:43:11.279: ISAKMP:(1004):Sending an IKE IPv4 Packet.
*Mar  1 00:43:11.879: ISAKMP (0:1004): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar  1 00:43:11.883: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
R1#
*Mar  1 00:43:11.887: ISAKMP:(1004): retransmission skipped for phase 1 (time since last transmission 600)
R1#
*Mar  1 00:43:21.283: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
*Mar  1 00:43:21.287: ISAKMP (0:1004): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar  1 00:43:21.287: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
*Mar  1 00:43:21.291: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  1 00:43:21.295: ISAKMP:(1004):Sending an IKE IPv4 Packet.
*Mar  1 00:43:21.927: ISAKMP (0:1004): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar  1 00:43:21.931: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
R1#
*Mar  1 00:43:21.935: ISAKMP:(1004): retransmission skipped for phase 1 (time since last transmission 632)
R1#
*Mar  1 00:43:29.127: ISAKMP: set new node 0 to QM_IDLE
*Mar  1 00:43:29.131: ISAKMP:(1004):SA is still budding. Attached new ipsec request to it. (local 192.168.1.2, remote 192.168.1.1)
*Mar  1 00:43:29.135: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar  1 00:43:29.135: ISAKMP: Error while processing KMI message 0, error 2.
R1#
*Mar  1 00:43:31.299: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
*Mar  1 00:43:31.303: ISAKMP (0:1004): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar  1 00:43:31.303: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
*Mar  1 00:43:31.307: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  1 00:43:31.311: ISAKMP:(1004):Sending an IKE IPv4 Packet.
*Mar  1 00:43:31.851: ISAKMP (0:1004): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar  1 00:43:31.855: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
R1#
*Mar  1 00:43:31.859: ISAKMP:(1004): retransmission skipped for phase 1 (time since last transmission 540)
R1#
*Mar  1 00:43:41.315: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
*Mar  1 00:43:41.319: ISAKMP (0:1004): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar  1 00:43:41.319: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
*Mar  1 00:43:41.323: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  1 00:43:41.327: ISAKMP:(1004):Sending an IKE IPv4 Packet.
R1#

Open in new window


 
The solution lays in the ISAKMP key. At first look keyword ‘cisco’ on both routers is exactly the same but look closer at these lines shows

R1 and SW1:
crypto isakmp key  cisco address 192.168.1.1
crypto isakmp key cisco address 192.168.1.2


that there is a space before it on Router R1
Let’s fix it and see what’s happen:
 R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#no crypto isakmp key  cisco address 192.168.1.1
R1(config)#crypto isakmp key "cisco" address 192.168.1.1

Open in new window

 R1#ping 10.0.10.1 source 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.2
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 92/173/252 ms

Open in new window



 R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.1.1     192.168.1.2     QM_IDLE           1006    0 ACTIVE
192.168.1.1     192.168.1.2     MM_NO_STATE       1005    0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA

Open in new window

 R1#sh crypto ipsec sa
interface: FastEthernet0/0
    Crypto map tag: VPN, local addr 192.168.1.2
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
   current_peer 192.168.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

Open in new window

So it’s working now
0
Comment
Author:irom77
0 Comments

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Join & Write a Comment

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month