Cisco GRE/IPSec Site to Site with NAT on the ISP Router

Hi

I have a small backbone of 7 IPSec tunnels (GRE). 7 Cisco 1721 and one cisco 2821 (all cisco 1721 have a tunnels to C2821).

But one don't work's because the Cisco 1721 don't have a direct Internet Access. This router have a IP 192.168.1.100 and the gateway is the ISP Routers (i don't have access on it, it's a watchgard i thinks).

On the ISP Routers, i have requested a port forwarding : 500 and 4500 UDP.

Config on the C1721:

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key MyKEY address 78.IP_OF_C2821
crypto isakmp nat keepalive 20
crypto isakmp profile vpn
   keyring default
   match identity address 78.IP_OF_C2821 255.255.255.255
!
!
crypto ipsec transform-set ipsec_tunnel esp-3des
!
crypto ipsec profile ipsec_vpn
 set transform-set ipsec_tunnel
 set isakmp-profile vpn
!
!
!
!
interface Tunnel0
 ip address 172.16.1.194 255.255.255.252
 tunnel source Ethernet0
 tunnel destination 78.IP_OF_C2821
 tunnel protection ipsec profile ipsec_vpn


Config on the C2821:

crypto isakmp key MyKEY address 77.IP_OF_ISP_ROUTER

crypto isakmp profile VPN001
   keyring default
   match identity address 77.IP_OF_ISP_ROUTER 255.255.255.255

crypto ipsec transform-set ipsec_tunnel_vpn001 esp-3des

crypto ipsec profile ipsec_vpn_vpn001
 set transform-set ipsec_tunnel_vpn001
 set isakmp-profile VPN001

interface Tunnel8
 ip address 172.16.1.193 255.255.255.252
 tunnel source 78.IP_OF_C2821
 tunnel destination 77.IP_OF_ISP_ROUTER
 tunnel protection ipsec profile ipsec_vpn_vpn001




Tunnl GRE are up on the two routers (sh interface tunnelxx)
but sh crypto session on the c2821:

Interface: Tunnel8
Session status: DOWN
Peer: 77.IP_OF_ISP_ROUTER port 500
  IPSEC FLOW: permit 47 host 78.IP_OF_C2821 host 77.IP_OF_ISP_ROUTER
        Active SAs: 0, origin: crypto map

Interface: GigabitEthernet0/1
Profile: VPN001
Session status: DOWN-NEGOTIATING
Peer: 77.195.114.122 port 4500
  IKE SA: local 78.IP_OF_C2821/4500 remote 77.IP_OF_ISP_ROUTER/4500 Inactive
  IKE SA: local 78.IP_OF_C2821/4500 remote 77.IP_OF_ISP_ROUTER/4500 Inactive
  IKE SA: local 78.IP_OF_C2821/4500 remote 77.IP_OF_ISP_ROUTER/4500 Inactive



and logs debug on C2821:


Anyone have a solution for me ?
thanks
Jerome

Mar 30 18:22:11.124: ISAKMP (0): received packet from 77.IP_OF_ISP_ROUTER dport 500 sport 500 Global (N) NEW SA
Mar 30 18:22:11.124: ISAKMP: Created a peer struct for 77.IP_OF_ISP_ROUTER, peer port 500
Mar 30 18:22:11.124: ISAKMP: New peer created peer = 0x48403790 peer_handle = 0x800068DB
Mar 30 18:22:11.124: ISAKMP: Locking peer struct 0x48403790, refcount 1 for crypto_isakmp_process_block
Mar 30 18:22:11.124: ISAKMP: local port 500, remote port 500
Mar 30 18:22:11.124: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 484BE874
Mar 30 18:22:11.124: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 30 18:22:11.124: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1 

Mar 30 18:22:11.124: ISAKMP:(0): processing SA payload. message ID = 0
Mar 30 18:22:11.124: ISAKMP:(0): processing vendor id payload
Mar 30 18:22:11.124: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Mar 30 18:22:11.124: ISAKMP (0): vendor ID is NAT-T v7
Mar 30 18:22:11.124: ISAKMP:(0): processing vendor id payload
Mar 30 18:22:11.124: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Mar 30 18:22:11.124: ISAKMP:(0): vendor ID is NAT-T v3
Mar 30 18:22:11.124: ISAKMP:(0): processing vendor id payload
Mar 30 18:22:11.124: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Mar 30 18:22:11.124: ISAKMP:(0): vendor ID is NAT-T v2
Mar 30 18:22:11.124: ISAKMP:(0):found peer pre-shared key matching 77.IP_OF_ISP_ROUTER
Mar 30 18:22:11.124: ISAKMP:(0): local preshared key found
Mar 30 18:22:11.124: ISAKMP : Scanning profiles for xauth ... vpn vpn1
Mar 30 18:22:11.124: ISAKMP:(0): Authentication by xauth preshared
Mar 30 18:22:11.124: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Mar 30 18:22:11.124: ISAKMP:      encryption 3DES-CBC
Mar 30 18:22:11.124: ISAKMP:      hash SHA
Mar 30 18:22:11.124: ISAKMP:      default group 2
Mar 30 18:22:11.124: ISAKMP:      auth pre-share
Mar 30 18:22:11.124: ISAKMP:      life type in seconds
Mar 30 18:22:11.124: ISAKMP:      life duration (basic) of 3600
Mar 30 18:22:11.124: ISAKMP:(0):atts are acceptable. Next payload is 0
Mar 30 18:22:11.124: ISAKMP:(0):Acceptable atts:actual life: 0
Mar 30 18:22:11.124: ISAKMP:(0):Acceptable atts:life: 0
Mar 30 18:22:11.124: ISAKMP:(0):Basic life_in_seconds:3600
Mar 30 18:22:11.124: ISAKMP:(0):Returning Actual lifetime: 3600
Mar 30 18:22:11.124: ISAKMP:(0)::Started lifetime timer: 3600.

Mar 30 18:22:11.124: ISAKMP:(0): processing vendor id payload
Mar 30 18:22:11.124: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Mar 30 18:22:11.124: ISAKMP (0): vendor ID is NAT-T v7
Mar 30 18:22:11.124: ISAKMP:(0): processing vendor id payload
Mar 30 18:22:11.124: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Mar 30 18:22:11.124: ISAKMP:(0): vendor ID is NAT-T v3
Mar 30 18:22:11.124: ISAKMP:(0): processing vendor id payload
Mar 30 18:22:11.128: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Mar 30 18:22:11.128: ISAKMP:(0): vendor ID is NAT-T v2
Mar 30 18:22:11.128: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 30 18:22:11.128: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1 

Mar 30 18:22:11.128: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 30 18:22:11.128: ISAKMP:(0): sending packet to 77.IP_OF_ISP_ROUTER my_port 500 peer_port 500 (R) MM_SA_SETUP
Mar 30 18:22:11.128: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 30 18:22:11.128: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 30 18:22:11.128: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2 

Mar 30 18:22:11.392: ISAKMP (0): received packet from 77.IP_OF_ISP_ROUTER dport 500 sport 500 Global (R) MM_SA_SETUP
Mar 30 18:22:11.392: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 30 18:22:11.392: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3 

Mar 30 18:22:11.392: ISAKMP:(0): processing KE payload. message ID = 0
Mar 30 18:22:11.400: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar 30 18:22:11.400: ISAKMP:(0):found peer pre-shared key matching 77.IP_OF_ISP_ROUTER
Mar 30 18:22:11.400: ISAKMP:(5733): processing vendor id payload
Mar 30 18:22:11.400: ISAKMP:(5733): vendor ID is Unity
Mar 30 18:22:11.400: ISAKMP:(5733): processing vendor id payload
Mar 30 18:22:11.400: ISAKMP:(5733): vendor ID is DPD
Mar 30 18:22:11.404: ISAKMP:(5733): processing vendor id payload
Mar 30 18:22:11.404: ISAKMP:(5733): speaking to another IOS box!
Mar 30 18:22:11.404: ISAKMP (5733): His hash no match - this node outside NAT
Mar 30 18:22:11.404: ISAKMP (5733): His hash no match - this node outside NAT
Mar 30 18:22:11.404: ISAKMP:(5733):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 30 18:22:11.404: ISAKMP:(5733):Old State = IKE_R_MM3  New State = IKE_R_MM3 

Mar 30 18:22:11.404: ISAKMP:(5733): sending packet to 77.IP_OF_ISP_ROUTER my_port 500 peer_port 500 (R) MM_KEY_EXCH
Mar 30 18:22:11.404: ISAKMP:(5733):Sending an IKE IPv4 Packet.
Mar 30 18:22:11.404: ISAKMP:(5733):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 30 18:22:11.404: ISAKMP:(5733):Old State = IKE_R_MM3  New State = IKE_R_MM4 

Mar 30 18:22:11.724: ISAKMP (5733): received packet from 77.IP_OF_ISP_ROUTER dport 4500 sport 4500 Global (R) MM_KEY_EXCH
Mar 30 18:22:11.728: ISAKMP:(5733):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 30 18:22:11.728: ISAKMP:(5733):Old State = IKE_R_MM4  New State = IKE_R_MM5 

Mar 30 18:22:11.728: ISAKMP:(5733): processing ID payload. message ID = 0
Mar 30 18:22:11.728: ISAKMP (5733): ID payload 
	next-payload : 8
	type         : 1 
	address      : 192.168.0.111 
	protocol     : 17 
	port         : 0 
	length       : 12
Mar 30 18:22:11.728: ISAKMP:(0):: peer matches *none* of the profiles
Mar 30 18:22:11.728: ISAKMP:(5733): processing HASH payload. message ID = 0
Mar 30 18:22:11.728: ISAKMP:(5733): processing NOTIFY INITIAL_CONTACT protocol 1
	spi 0, message ID = 0, sa = 484BE874
Mar 30 18:22:11.728: ISAKMP:(5733):SA authentication status:
	authenticated
Mar 30 18:22:11.728: ISAKMP:(5733):SA has been authenticated with 77.IP_OF_ISP_ROUTER
Mar 30 18:22:11.728: ISAKMP:(5733):Detected port floating to port = 4500
Mar 30 18:22:11.728: ISAKMP: Trying to find existing peer 78.IP_OF_C2821/77.IP_OF_ISP_ROUTER/4500/ and found existing peer 484170B8 to reuse, free 48403790
Mar 30 18:22:11.728: ISAKMP: Unlocking peer struct 0x48403790 Reuse existing peer, count 0
Mar 30 18:22:11.728: ISAKMP: Deleting peer node by peer_reap for 77.IP_OF_ISP_ROUTER: 48403790
Mar 30 18:22:11.728: ISAKMP: Locking peer struct 0x484170B8, refcount 344 for Reuse existing peer
Mar 30 18:22:11.728: ISAKMP:(5733):SA authentication status:
	authenticated
Mar 30 18:22:11.728: ISAKMP:(5733): Process initial contact,
bring down existing phase 1 and 2 SA's with local 78.IP_OF_C2821 remote 77.IP_OF_ISP_ROUTER remote port 4500
Mar 30 18:22:11.728: ISAKMP:(5733):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 30 18:22:11.728: ISAKMP:(5733):Old State = IKE_R_MM5  New State = IKE_R_MM5 

Mar 30 18:22:11.728: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Mar 30 18:22:11.728: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Mar 30 18:22:11.732: ISAKMP:(5733):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Mar 30 18:22:11.732: ISAKMP (5733): ID payload 
	next-payload : 8
	type         : 1 
	address      : 78.IP_OF_C2821 
	protocol     : 17 
	port         : 0 
	length       : 12
Mar 30 18:22:11.732: ISAKMP:(5733):Total payload length: 12
Mar 30 18:22:11.732: ISAKMP:(5733): sending packet to 77.IP_OF_ISP_ROUTER my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
Mar 30 18:22:11.732: ISAKMP:(5733):Sending an IKE IPv4 Packet.
Mar 30 18:22:11.732: ISAKMP:(5733):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 30 18:22:11.732: ISAKMP:(5733):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE 

Mar 30 18:22:11.732: ISAKMP:(5733):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 30 18:22:11.732: ISAKMP:(5733):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

Mar 30 18:22:11.788: ISAKMP (5733): received packet from 77.IP_OF_ISP_ROUTER dport 4500 sport 4500 Global (R) QM_IDLE      
Mar 30 18:22:11.788: ISAKMP: set new node -595543686 to QM_IDLE      
Mar 30 18:22:11.788: ISAKMP:(5733): processing HASH payload. message ID = -595543686
Mar 30 18:22:11.788: ISAKMP:(5733): processing SA payload. message ID = -595543686
Mar 30 18:22:11.788: ISAKMP:(5733):Checking IPSec proposal 1
Mar 30 18:22:11.788: ISAKMP: transform 1, ESP_3DES
Mar 30 18:22:11.788: ISAKMP:   attributes in transform:
Mar 30 18:22:11.788: ISAKMP:      encaps is 3 (Tunnel-UDP)
Mar 30 18:22:11.788: ISAKMP:      SA life type in seconds
Mar 30 18:22:11.788: ISAKMP:      SA life duration (basic) of 3600
Mar 30 18:22:11.788: ISAKMP:      SA life type in kilobytes
Mar 30 18:22:11.788: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
Mar 30 18:22:11.788: ISAKMP:(5733):atts are acceptable.
Mar 30 18:22:11.788: IPSEC(validate_proposal_request): proposal part #1
Mar 30 18:22:11.788: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 78.IP_OF_C2821, remote= 77.IP_OF_ISP_ROUTER, 
    local_proxy= 78.IP_OF_C2821/255.255.255.255/47/0 (type=1), 
    remote_proxy= 192.168.0.111/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= NONE  (Tunnel-UDP), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Mar 30 18:22:11.792: map_db_check_isakmp_profile profile did not match
Mar 30 18:22:11.792: map_db_check_isakmp_profile profile did not match
Mar 30 18:22:11.792: map_db_find_best did not find matching map
Mar 30 18:22:11.792: map_db_check_isakmp_profile profile did not match
Mar 30 18:22:11.792: map_db_check_isakmp_profile profile did not match
Mar 30 18:22:11.792: map_db_find_best did not find matching map
Mar 30 18:22:11.792: map_db_check_isakmp_profile profile did not match
Mar 30 18:22:11.792: map_db_check_isakmp_profile profile did not match
Mar 30 18:22:11.792: map_db_find_best did not find matching map
Mar 30 18:22:11.792: map_db_check_isakmp_profile profile did not match
Mar 30 18:22:11.792: map_db_check_isakmp_profile profile did not match
Mar 30 18:22:11.792: map_db_find_best did not find matching map
Mar 30 18:22:11.792: map_db_check_isakmp_profile profile did not match
Mar 30 18:22:11.792: map_db_check_isakmp_profile profile did not match
Mar 30 18:22:11.792: map_db_find_best did not find matching map
Mar 30 18:22:11.792: map_db_check_isakmp_profile profile did not match
Mar 30 18:22:11.792: map_db_check_isakmp_profile profile did not match
Mar 30 18:22:11.792: map_db_find_best did not find matching map
Mar 30 18:22:11.792: map_db_check_isakmp_profile profile did not match
Mar 30 18:22:11.792: map_db_check_isakmp_profile profile did not match
Mar 30 18:22:11.792: map_db_find_best did not find matching map
Mar 30 18:22:11.792: map_db_check_isakmp_profile profile did not match
Mar 30 18:22:11.792: map_db_check_isakmp_profile profile did not match
Mar 30 18:22:11.792: map_db_find_best did not find matching map
Mar 30 18:22:11.792: IPSEC(ipsec_process_proposal): proxy identities not supported
Mar 30 18:22:11.792: ISAKMP:(5733): IPSec policy invalidated proposal with error 32
Mar 30 18:22:11.792: ISAKMP:(5733): phase 2 SA policy not acceptable! (local 78.IP_OF_C2821 remote 77.IP_OF_ISP_ROUTER)
Mar 30 18:22:11.792: ISAKMP: set new node 305473858 to QM_IDLE      
Mar 30 18:22:11.792: ISAKMP:(5733):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
	spi 1250403208, message ID = 305473858
Mar 30 18:22:11.792: ISAKMP:(5733): sending packet to 77.IP_OF_ISP_ROUTER my_port 4500 peer_port 4500 (R) QM_IDLE      
Mar 30 18:22:11.792: ISAKMP:(5733):Sending an IKE IPv4 Packet.
Mar 30 18:22:11.796: ISAKMP:(5733):purging node 305473858
Mar 30 18:22:11.796: ISAKMP:(5733):deleting node -595543686 error TRUE reason "QM rejected"
Mar 30 18:22:11.796: ISAKMP:(5733):Node -595543686, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 30 18:22:11.796: ISAKMP:(5733):Old State = IKE_QM_READY  New State = IKE_QM_READY
Mar 30 18:22:15.616: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 78.IP_OF_C2821, remote= 77.IP_OF_ISP_ROUTER, 
    local_proxy= 78.IP_OF_C2821/255.255.255.255/47/0 (type=1), 
    remote_proxy= 77.IP_OF_ISP_ROUTER/255.255.255.255/47/0 (type=1)
Mar 30 18:22:15.616: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 78.IP_OF_C2821, remote= 77.IP_OF_ISP_ROUTER, 
    local_proxy= 78.IP_OF_C2821/255.255.255.255/47/0 (type=1), 
    remote_proxy= 77.IP_OF_ISP_ROUTER/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= esp-3des  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Mar 30 18:22:15.616: ISAKMP:(0): SA request profile is VPN001
Mar 30 18:22:15.616: ISAKMP: Created a peer struct for 77.IP_OF_ISP_ROUTER, peer port 500
Mar 30 18:22:15.616: ISAKMP: New peer created peer = 0x48403790 peer_handle = 0x800069AA
Mar 30 18:22:15.616: ISAKMP: Locking peer struct 0x48403790, refcount 1 for isakmp_initiator
Mar 30 18:22:15.616: ISAKMP: local port 500, remote port 500
Mar 30 18:22:15.616: ISAKMP: set new node 0 to QM_IDLE      
Mar 30 18:22:15.616: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 484D72E8
Mar 30 18:22:15.616: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Mar 30 18:22:15.616: ISAKMP:(0):Found ADDRESS key in keyring default
Mar 30 18:22:15.616: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 30 18:22:15.616: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 30 18:22:15.616: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 30 18:22:15.616: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 30 18:22:15.616: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 30 18:22:15.616: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

Mar 30 18:22:15.616: ISAKMP:(0): beginning Main Mode exchange
Mar 30 18:22:15.620: ISAKMP:(0): sending packet to 77.IP_OF_ISP_ROUTER my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 30 18:22:15.620: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 30 18:22:15.892: ISAKMP (0): received packet from 77.IP_OF_ISP_ROUTER dport 500 sport 500 Global (I) MM_NO_STATE
Mar 30 18:22:15.892: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 30 18:22:15.892: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2 

Mar 30 18:22:15.892: ISAKMP:(0): processing SA payload. message ID = 0
Mar 30 18:22:15.892: ISAKMP:(0): processing vendor id payload
Mar 30 18:22:15.892: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Mar 30 18:22:15.892: ISAKMP (0): vendor ID is NAT-T v7
Mar 30 18:22:15.892: ISAKMP:(0):Found ADDRESS key in keyring default
Mar 30 18:22:15.892: ISAKMP:(0): local preshared key found
Mar 30 18:22:15.892: ISAKMP : Looking for xauth in profile VPN001
Mar 30 18:22:15.892: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Mar 30 18:22:15.892: ISAKMP:      encryption 3DES-CBC
Mar 30 18:22:15.892: ISAKMP:      hash SHA
Mar 30 18:22:15.892: ISAKMP:      default group 2
Mar 30 18:22:15.892: ISAKMP:      auth pre-share
Mar 30 18:22:15.892: ISAKMP:      life type in seconds
Mar 30 18:22:15.892: ISAKMP:      life duration (basic) of 3600
Mar 30 18:22:15.892: ISAKMP:(0):atts are acceptable. Next payload is 0
Mar 30 18:22:15.892: ISAKMP:(0):Acceptable atts:actual life: 0
Mar 30 18:22:15.892: ISAKMP:(0):Acceptable atts:life: 0
Mar 30 18:22:15.892: ISAKMP:(0):Basic life_in_seconds:3600
Mar 30 18:22:15.892: ISAKMP:(0):Returning Actual lifetime: 3600
Mar 30 18:22:15.892: ISAKMP:(0)::Started lifetime timer: 3600.

Mar 30 18:22:15.892: ISAKMP:(0): processing vendor id payload
Mar 30 18:22:15.892: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Mar 30 18:22:15.892: ISAKMP (0): vendor ID is NAT-T v7
Mar 30 18:22:15.892: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 30 18:22:15.892: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2 

Mar 30 18:22:15.896: ISAKMP:(0): sending packet to 77.IP_OF_ISP_ROUTER my_port 500 peer_port 500 (I) MM_SA_SETUP
Mar 30 18:22:15.896: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 30 18:22:15.896: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 30 18:22:15.896: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3 

Mar 30 18:22:16.228: ISAKMP (0): received packet from 77.IP_OF_ISP_ROUTER dport 500 sport 500 Global (I) MM_SA_SETUP
Mar 30 18:22:16.228: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 30 18:22:16.228: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4 

Mar 30 18:22:16.228: ISAKMP:(0): processing KE payload. message ID = 0
Mar 30 18:22:16.232: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar 30 18:22:16.232: ISAKMP:(0):Found ADDRESS key in keyring default
Mar 30 18:22:16.236: ISAKMP:(5734): processing vendor id payload
Mar 30 18:22:16.236: ISAKMP:(5734): vendor ID is Unity
Mar 30 18:22:16.236: ISAKMP:(5734): processing vendor id payload
Mar 30 18:22:16.236: ISAKMP:(5734): vendor ID is DPD
Mar 30 18:22:16.236: ISAKMP:(5734): processing vendor id payload
Mar 30 18:22:16.236: ISAKMP:(5734): speaking to another IOS box!
Mar 30 18:22:16.236: ISAKMP (5734): His hash no match - this node outside NAT
Mar 30 18:22:16.236: ISAKMP (5734): His hash no match - this node outside NAT
Mar 30 18:22:16.236: ISAKMP:(5734):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 30 18:22:16.236: ISAKMP:(5734):Old State = IKE_I_MM4  New State = IKE_I_MM4 

Mar 30 18:22:16.236: ISAKMP:(5734):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Mar 30 18:22:16.236: ISAKMP (5734): ID payload 
	next-payload : 8
	type         : 1 
	address      : 78.IP_OF_C2821 
	protocol     : 17 
	port         : 0 
	length       : 12
Mar 30 18:22:16.236: ISAKMP:(5734):Total payload length: 12
Mar 30 18:22:16.240: ISAKMP:(5734): sending packet to 77.IP_OF_ISP_ROUTER my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Mar 30 18:22:16.240: ISAKMP:(5734):Sending an IKE IPv4 Packet.
Mar 30 18:22:16.240: ISAKMP:(5734):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 30 18:22:16.240: ISAKMP:(5734):Old State = IKE_I_MM4  New State = IKE_I_MM5 

Mar 30 18:22:16.292: ISAKMP (5734): received packet from 77.IP_OF_ISP_ROUTER dport 4500 sport 4500 Global (I) MM_KEY_EXCH
Mar 30 18:22:16.292: ISAKMP:(5734): processing ID payload. message ID = 0
Mar 30 18:22:16.292: ISAKMP (5734): ID payload 
	next-payload : 8
	type         : 1 
	address      : 192.168.0.111 
	protocol     : 17 
	port         : 0 
	length       : 12
Mar 30 18:22:16.292: ISAKMP:(5734):Expected VPN001 profile doesn't match, aborting exchange
Mar 30 18:22:16.292: ISAKMP (5734): FSM action returned error: 2
Mar 30 18:22:16.292: ISAKMP:(5734):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 30 18:22:16.292: ISAKMP:(5734):Old State = IKE_I_MM5  New State = IKE_I_MM6 

Mar 30 18:22:16.292: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 77.IP_OF_ISP_ROUTER
Mar 30 18:22:16.292: ISAKMP:(5734):peer does not do paranoid keepalives.

Mar 30 18:22:16.292: ISAKMP:(5734):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 77.IP_OF_ISP_ROUTER)
Mar 30 18:22:16.292: ISAKMP:(5734):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 30 18:22:16.292: ISAKMP:(5734):Old State = IKE_I_MM6  New State = IKE_I_MM6 

Mar 30 18:22:16.292: ISAKMP:(5734):peer does not do paranoid keepalives.

Mar 30 18:22:16.292: ISAKMP (5734): FSM action returned error: 2
Mar 30 18:22:16.292: ISAKMP:(5734):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Mar 30 18:22:16.292: ISAKMP:(5734):Old State = IKE_I_MM6  New State = IKE_I_MM5 

Mar 30 18:22:16.296: ISAKMP:(5734):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 77.IP_OF_ISP_ROUTER) 
Mar 30 18:22:16.296: ISAKMP: Unlocking peer struct 0x48403790 for isadb_mark_sa_deleted(), count 0
Mar 30 18:22:16.296: ISAKMP: Deleting peer node by peer_reap for 77.IP_OF_ISP_ROUTER: 48403790
Mar 30 18:22:16.296: ISAKMP:(5734):deleting node -1121766510 error FALSE reason "IKE deleted"
Mar 30 18:22:16.296: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Mar 30 18:22:16.296: ISAKMP:(5734):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 30 18:22:16.296: ISAKMP:(5734):Old State = IKE_I_MM5  New State = IKE_DEST_SA 

Mar 30 18:22:17.972: ISAKMP:(5731):purging node 1551026648
Mar 30 18:22:17.976: ISAKMP:(5729):purging node 97529326
Mar 30 18:22:27.975: ISAKMP:(5731):purging SA., sa=48439754, delme=48439754
Mar 30 18:22:27.979: ISAKMP:(5729):purging SA., sa=48438D90, delme=48438D90

Open in new window

jpc42Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

luc_roySystem AdminCommented:
Do you have a public IP on the router connected to the ISP?
You cannot create a tunnel with a private IP.  You need a public one on each gateway, on the config you pte4d you are using a 172.16 to try and connect the tunnel and that will not work, the internet can not route a  172.16 address.
0
jpc42Author Commented:
On the Cisco 1721 ? no public IP, the public IP are on the ISP Routers and he NAT.

172.16, it's the Gre tunnel, i use 172.16 on all routers, only one don't work

do you want more config ?

thanks for your help
0
GJHopkinsCommented:
EZVPN on the 1721 its designed to act as a VPN client ion the router so can be used with a private address behind a firewall. The ISP router needs to NAT your outside interface to its own and set up the NAt slots for the return traffic.

Start with some examples here

http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html
0
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

luc_roySystem AdminCommented:
I guess my question is you need to know how the ISP is connected to you and what they are doing with the public IP you are using.

If you do not control the IP and have no control over what they are doing with it will be more difficult.  Like "GJHopkins:" said, you can VPN with a private IP, it's done every day through out the world from homes, hotels ,etc.. but those systems are using a NATed public IP and in commercial applications are configured to specifically allow VPN tunnels to establish.

You should see if they will let you pull the IP to tour interface using DHCP and then nat on your outside interface.  This would make it simpler to control and troubleshoot if you have issues.


0
jpc42Author Commented:
GJHopkins:
I can configure a easy vpn serveur on the C2821 and put the Cisco 1721 in "Easyvpn remote client" ? in the list of sample, it's into " DMVPN and Easy VPN Server with ISAKMP Profiles Configuration Example" or " EzVPN in NEM Mode with Split tunnelling on the IOS Router Configuration Example" ?



luc_roy:

On the cisco 1721, it's a static private ip: 192.168.0.111 (no dhcp),the router of the ISP use the 192.168.0.254. Wan of the ISP router have a public static IP (never change). The ISP have create two permanent port forwarding: 500 (tcp&udp) and 4500 (udp)


If i can't use IPSec because they have the NAT, he have other solution in crypted ? (SSL on a C1721 ?)

thanks
jerome
0
GJHopkinsCommented:
Depends on the setup but you may be able to use IPSec with NAT - see details for IPSec NAT transparency here

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html#wp1035671

All depends on the ISP router though. However I have used EZVPN from an internal router with an private address through an ISP router to create an IPSec tunnel to an ASA. Your ISP ought not to nbe blocking traffic.

Of course this requires the client end - the 1721 to initiate the tunnel, we were running Cisco phones with the CUCME on the remote end to this kept the tunnel up.

Typical EZVPN setup here is wired and wireless LAN, Fa4 is the link to the ISP router on 10.44.20.0/24
the internal LANs are 192.168.244.0/24 - ISP NAT'ed again to their Internet address

crypto ipsec client ezvpn freddy
 connect auto
 group group-name key freedy-key
 mode client
 peer 2XX.2XX.1XX.2XX
 username ezvpn.router password XXXXXXXXXXXXXXXXXXXXXXX
 xauth userid mode local
 
 
 interface FastEthernet4
 ip address 10.44.20.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 crypto ipsec client ezvpn freddy
 
 
 interface Vlan1
 description Interface to connect wired ports to bridge
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 192.168.244.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 crypto ipsec client ezvpn essant inside
!
ip route 0.0.0.0 0.0.0.0 10.44.20.254
!
ip nat inside source list 100 interface FastEthernet4 overload
!
access-list 100 permit ip 192.168.244.0 0.0.0.255 any


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GJHopkinsCommented:
Oh and if you want to make the whole local lan available  then use

crypto ipsec client ezvpn freddy
mode network-extension

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.