Solved

IPSec between Cisco VPN Concentrator 3005 and Cisco 2621 router

Posted on 2004-08-09
7
3,546 Views
Last Modified: 2012-06-21
Can anybody help me trouble shoot this IPSEc tunnel.

I am running IOS ver 11.3(2)XA4 on a Cisco 2621 router and Version 4.1.5 on my Cisco 3005 concentrator.

I have configured a LAN2LAN connection on the concentrator.
I am trying to use pre-shared keys ESP/MD5/HMAC-128 for authentication with 3DES-168 encryption and IKE-3DES-MD5 as an IKE proposal.

My concentrator is behind a PIX and teh outside address is using NAT.

Looking at the logs, it appears that phase II is failing. (unusual).

Here is the config from the router:

--------------------------------------------------
sh run
Building configuration...

Current configuration : 1369 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret <removed>
enable password <Removed>
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip audit po max-events 100
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ip$ec address <removed real address>
crypto isakmp key ip$ec address <Removed NAT address>
!
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
!
crypto map to_vpn 10 ipsec-isakmp
 set peer <removed NAT address>
 set transform-set to_vpn
 match address 101
!
!
!
!
interface FastEthernet0/0
 ip address <Removed outside address>
 speed auto
 full-duplex
 crypto map to_vpn
!
interface Serial0/0
 no ip address
 shutdown
 no fair-queue
!
interface FastEthernet0/1
 ip address 172.30.10.1 255.255.255.248
 speed auto
 full-duplex
!
interface Serial0/1
 no ip address
 shutdown
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 <removed default router>
!
!
access-list 101 permit ip 172.30.10.0 0.0.0.7 <removed remote LAN address> 0.0.255.255
dialer-list 1 protocol ip permit
!
!
voice-port 1/0/0
!
voice-port 1/0/1
!
voice-port 1/1/0
voice-port 1/1/1
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password <removed>
 login
!
!
end

----------------------------------------------------------------

Here is a debug from the router:

debug cryp isakmp
Crypto ISAKMP debugging is on
Router#debug cryp ipsec
Crypto IPSEC debugging is on
Router#term mon
Router#ping
Protocol [ip]:
Target IP address: <removed remote host>
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.30.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to <removed remote LAN>, timeout is 2 seconds:
Packet sent with a source address of 172.30.10.1

00:05:28: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= <Removed Local Address>, remote= <removed remote address>,
    local_proxy= 172.30.10.0/255.255.255.248/0/0 (type=4),
    remote_proxy= <removed remote LAN>/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xE6427210(3863114256), conn_id= 0, keysize= 0, flags= 0x400A
00:05:28: ISAKMP: received ke message (1/1)
00:05:28: ISAKMP (0:0): SA request profile is (NULL)
00:05:28: ISAKMP: local port 500, remote port 500
00:05:28: ISAKMP: set new node 0 to QM_IDLE      
00:05:28: ISAKMP: insert sa successfully sa = 82DB4AD8
00:05:28: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
00:05:28: ISAKMP: Looking for a matching key for <removed remote address> in default : suc
cess
00:05:28: ISAKMP (0:1): found peer pre-shared key matching <removed remote address>
00:05:28: ISAKMP (0:1): constructed NAT-T vendor-07 ID
00:05:28: ISAKMP (0:1): constructed NAT-T vendor-03 ID
00:05:28: ISAKMP (0:1): constructed NAT-T vendor-02 ID
00:05:28: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
00:05:28: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_I_MM1

00:05:28: ISAKMP (0:1): beginning Main Mode exchange.
00:05:28: ISAKMP (0:1): sending packet to <removed remote address> my_port 500 peer_port 5
00 (I) MM_NO_STATE....
Success rate is 0 percent (0/5)
Router#
00:05:38: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
00:05:38: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:05:38: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
00:05:38: ISAKMP (0:1): sending packet to <removed remote address> my_port 500 peer_port 5
00 (I) MM_NO_STATE
00:05:38: ISAKMP (0:1): received packet from <removed remote address> dport 500 sport 500
Global (I) MM_NO_STATE
00:05:38: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
00:05:38: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_I_MM2

00:05:38: ISAKMP (0:1): processing SA payload. message ID = 0
00:05:38: ISAKMP (0:1): processing vendor id payload
00:05:38: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123 mismatch
00:05:38: ISAKMP (0:1): vendor ID is NAT-T v2
00:05:38: ISAKMP (0:1): processing vendor id payload
00:05:38: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch
00:05:38: ISAKMP: Looking for a matching key for <removed remote address> in default : suc
cess
00:05:38: ISAKMP (0:1): found peer pre-shared key matching <removed remote address>
00:05:38: ISAKMP (0:1) local preshared key found
00:05:38: ISAKMP : Scanning profiles for xauth ...
00:05:38: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
00:05:38: ISAKMP:      encryption 3DES-CBC
00:05:38: ISAKMP:      hash MD5
00:05:38: ISAKMP:      default group 2
00:05:38: ISAKMP:      auth pre-share
00:05:38: ISAKMP:      life type in seconds
00:05:38: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
00:05:38: ISAKMP (0:1): atts are acceptable. Next payload is 0
00:05:39: ISAKMP (0:1): processing vendor id payload
00:05:39: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123 mismatch
00:05:39: ISAKMP (0:1): vendor ID is NAT-T v2
00:05:39: ISAKMP (0:1): processing vendor id payload
00:05:39: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch
00:05:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
00:05:39: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM2

00:05:39: ISAKMP (0:1): sending packet <removed remote address> my_port 500 peer_port 5
00 (I) MM_SA_SETUP
00:05:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
00:05:39: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM3

00:05:39: ISAKMP (0:1): received packet from <removed remote address> dport 500 sport 500
Global (I) MM_SA_SETUP
00:05:39: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
00:05:39: ISAKMP (0:1): Old State = IKE_I_MM3  New State = IKE_I_MM4

00:05:39: ISAKMP (0:1): processing KE payload. message ID = 0
00:05:39: ISAKMP (0:1): processing NONCE payload. message ID = 0
00:05:39: ISAKMP: Looking for a matching key for <removed remote address> in default : suc
cess
00:05:39: ISAKMP (0:1): found peer pre-shared key matching <removed remote address>
00:05:39: ISAKMP (0:1): SKEYID state generated
00:05:39: ISAKMP (0:1): processing vendor id payload
00:05:39: ISAKMP (0:1): vendor ID is Unity
00:05:39: ISAKMP (0:1): processing vendor id payload
00:05:39: ISAKMP (0:1): vendor ID seems Unity/DPD but major 175 mismatch
00:05:39: ISAKMP (0:1): vendor ID is XAUTH
00:05:39: ISAKMP (0:1): processing vendor id payload
00:05:39: ISAKMP (0:1): speaking to another IOS box!
00:05:39: ISAKMP (0:1): processing vendor id payload
00:05:39: ISAKMP (0:1): vendor ID seems Unity/DPD but major 4 mismatch
00:05:39: ISAKMP:received payload type 20
00:05:39: ISAKMP:received payload type 20
00:05:39: ISAKMP (0:1): NAT found, the node outside NAT
00:05:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
00:05:39: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM4

00:05:39: ISAKMP (0:1): Send initial contact
00:05:39: ISAKMP (0:1): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
00:05:39: ISAKMP (0:1): ID payload
      next-payload : 8
      type         : 1
      address      : <removed local address>
      protocol     : 17
      port         : 0
      length       : 12
00:05:39: ISAKMP (1): Total payload length: 12
00:05:39: ISAKMP (0:1): sending packet to <removed remote address> my_port 4500 peer_port
4500 (I) MM_KEY_EXCH
00:05:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
00:05:39: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM5

00:05:39: ISAKMP (0:1): received packet from <removed remote address> dport 4500 sport 450
0 Global (I) MM_KEY_EXCH
00:05:39: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
00:05:39: ISAKMP (0:1): Old State = IKE_I_MM5  New State = IKE_I_MM6

00:05:39: ISAKMP (0:1): processing ID payload. message ID = 0
00:05:39: ISAKMP (0:1): ID payload
      next-payload : 8
      type         : 1
      address      : <removed remote non-NATTED address of concentrator>
      protocol     : 17
      port         : 0
      length       : 12
00:05:39: ISAKMP (0:1): processing HASH payload. message ID = 0
00:05:39: ISAKMP:received payload type 17
00:05:39: ISAKMP (0:1): processing vendor id payload
00:05:39: ISAKMP (0:1): vendor ID is DPD
00:05:39: ISAKMP (0:1): SA authentication status:
      authenticated
00:05:39: ISAKMP (0:1): SA has been authenticated with <removed remote address>
00:05:39: ISAKMP (0:1): peer matches *none* of the profiles
00:05:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
00:05:39: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_I_MM6

00:05:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
00:05:39: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

00:05:39: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -2023064236
00:05:39: ISAKMP (0:1): sending packet to <removed remote address> my_port 4500 peer_port
4500 (I) QM_IDLE      
00:05:39: ISAKMP (0:1): Node -2023064236, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
00:05:39: ISAKMP (0:1): Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
00:05:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
00:05:39: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
 

00:05:39: ISAKMP (0:1): received packet from <removed remote address> dport 4500 sport 450
0 Global (I) QM_IDLE      
00:05:39: ISAKMP: set new node -1563502446 to QM_IDLE      
00:05:39: ISAKMP (0:1): processing HASH payload. message ID = -1563502446
00:05:39: ISAKMP:received payload type 18
00:05:39: ISAKMP (0:1): processing DELETE_WITH_REASON payload, message ID = -156
3502446, reason: Unknown delete reason!
00:05:39: ISAKMP (0:1): peer does not do paranoid keepalives.

00:05:39: ISAKMP (0:1): deleting SA reason "P1 delete notify (in)" state (I) QM_
IDLE       (peer 62.173.247.172) input queue 0
00:05:39: ISAKMP (0:1): deleting node -1563502446 error FALSE reason "informatio
nal (in) state 1"
00:05:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
00:05:39: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

00:05:39: ISAKMP (0:1): deleting SA reason "" state (I) QM_IDLE       (peer 62.1
73.247.172) input queue 0
00:05:39: ISAKMP (0:1): deleting node -2023064236 error FALSE reason ""
00:05:39: ISAKMP (0:1): deleting node -1563502446 error FALSE reason ""
00:05:39: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
00:05:39: ISAKMP (0:1): Old State = IKE_DEST_SA  New State = IKE_DEST_SA


Any Suggestions?

Thanks
Graham
0
Comment
Question by:gpshute
  • 3
  • 2
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You may need to enable crypto keepalive:

!
crypto isakmp keepalive 30
!

Do you have 1-1 static NAT mapped to the VPN 3005 on the remote end?
Do you have access-lists permitting UDP 4500, UDP 500 and TCP 50 to the VPN's nat address?
Does the remote host that you are trying to ping have a route to your 172.30.10.0 subnet pointing to the VPN3005?
0
 

Author Comment

by:gpshute
Comment Utility
I tried the keepalive option on the oruter, but the debug shows the same issue.


The NAT is a one to one for that address.
UDP 4500 and UDP 500 are open. So is TCP 500.
I do not have a route back to the 172.30.10.0 subnet from teh host that I am pinging, but I thought the tunnel should come up anyway.

Does it look to you that phase II is failing?


Thanks
Graham
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>I do not have a route back to the 172.30.10.0 subnet from teh host that I am pinging, but I thought the tunnel should come up anyway.

Negative. You need that route. There must be a 2-way connection before the tunnel will come up all the way.

>So is TCP 500.
Should be TCP 50

Also try open for UDP 10000 (yes, 10 thousand)
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:gpshute
Comment Utility
This has turned out to be a bug in the IOS release that I was using on the router. The same configuration worked using version 12.2(11)T11.

Thanks for your help

Graham
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Do you need any more assistance or information?
Can you close out this long-forgotten question?
Here's how:
http://www.experts-exchange.com/help.jsp#hs5

Thanks!
<8-}
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
Comment Utility
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now