chillicom
asked on
cisco vpn phase 1 negotiation failing
I am having an issue with phase 1 negotiation between 2 cisco routers. Any suggestions would be most welcome ! I do not have access to the client router but I have enclosed config of my router (changed ip) and the description of the customers setup.
my router:
!
!
!
ip cef
!
multilink bundle-name authenticated
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
hash md5
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
crypto isakmp key t3st address 145.146.147.148
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP3-DES-MD5 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to
set peer 145.146.147.148
set transform-set ESP3-DES-MD5
set pfs group1
match address 101
!
!
!
!
!
!
interface FastEthernet0/0
bandwidth 100000
ip address 192.168.20.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1300
duplex auto
speed auto
!
interface FastEthernet0/1
bandwidth 100000
ip address 192.168.21.33 255.255.255.0
ip flow ingress
ip tcp adjust-mss 1400
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username jkh password 0 7
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.16.11.0 255.255.255.0 192.168.21.1
ip route 192.168.22.0 255.255.255.0 192.168.21.1
ip route 192.168.25.0 255.255.255.0 192.168.21.1
ip http server
ip http authentication local
no ip http secure-server
!
ip flow-export source FastEthernet0/1
ip flow-export version 5
ip flow-export destination 192.168.21.251 2055
!
ip nat inside source static tcp 192.168.20.27 5900 interface Dialer0 5900
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.20.200 3389 1.1.1.1 3389 route-map SDM_RMAP_1 extendable
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.24.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.24.0 0.0.0.255
access-list 101 deny ip 192.168.20.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 104 permit ip 192.168.20.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 105 permit ip 192.168.20.0 0.0.0.255 192.168.25.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
end point router:
Given below the details from ac side
The VPN parameters are :
ac VPN device: Cisco 7206
ac Peer IP: 145.146.147.148
ac Encryption Domain: 150.2.0.0/16
ISAKMP Hash: MD5
ISAKMP Encryption: 3DES
ISAKMP DH Group: Group 2
ISAKMP Key Mode: Main Mode
ISAKMP Key Lifetime: 86400 secs
Perfect Forward Secrecy: Off
IPSEC Encapsulation: Tunnel Mode
IPSEC Protocol Type: ESP
IPSEC Cipher Algorithm: 3DES
IPSEC Authentication: HMAC-MD5
IPSEC Lifetime: 3600 sec
Port details:
"Customer to :
ICMP: echo and echo reply
FTP: TCP20
HTTP: TCP8002, 80
GEMS diags: TCP 7979
X-windows: TCP6000-6200
to Customer:
ICMP: echo and echo reply
FTP: TCP21
ssh: TCP22
Telnet: TCP23, 2327, 2328
HTTP: TCP80, 8080
Rexec: TCP512
VNC: TCP5800, 5900
MR firmware diagnostics: TCP8100"
tests#show cry isa sa | sec 1.1.1.1
1.1.1.1 145.146.147.148 MM_NO_STATE 0 0 ACTIVE
1.1.1.1 145.146.147.148 MM_NO_STATE 0 0 ACTIVE (deleted)
my router:
!
!
!
ip cef
!
multilink bundle-name authenticated
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
hash md5
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
crypto isakmp key t3st address 145.146.147.148
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP3-DES-MD5 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to
set peer 145.146.147.148
set transform-set ESP3-DES-MD5
set pfs group1
match address 101
!
!
!
!
!
!
interface FastEthernet0/0
bandwidth 100000
ip address 192.168.20.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1300
duplex auto
speed auto
!
interface FastEthernet0/1
bandwidth 100000
ip address 192.168.21.33 255.255.255.0
ip flow ingress
ip tcp adjust-mss 1400
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username jkh password 0 7
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.16.11.0 255.255.255.0 192.168.21.1
ip route 192.168.22.0 255.255.255.0 192.168.21.1
ip route 192.168.25.0 255.255.255.0 192.168.21.1
ip http server
ip http authentication local
no ip http secure-server
!
ip flow-export source FastEthernet0/1
ip flow-export version 5
ip flow-export destination 192.168.21.251 2055
!
ip nat inside source static tcp 192.168.20.27 5900 interface Dialer0 5900
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.20.200 3389 1.1.1.1 3389 route-map SDM_RMAP_1 extendable
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.24.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.24.0 0.0.0.255
access-list 101 deny ip 192.168.20.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 104 permit ip 192.168.20.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 105 permit ip 192.168.20.0 0.0.0.255 192.168.25.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
end point router:
Given below the details from ac side
The VPN parameters are :
ac VPN device: Cisco 7206
ac Peer IP: 145.146.147.148
ac Encryption Domain: 150.2.0.0/16
ISAKMP Hash: MD5
ISAKMP Encryption: 3DES
ISAKMP DH Group: Group 2
ISAKMP Key Mode: Main Mode
ISAKMP Key Lifetime: 86400 secs
Perfect Forward Secrecy: Off
IPSEC Encapsulation: Tunnel Mode
IPSEC Protocol Type: ESP
IPSEC Cipher Algorithm: 3DES
IPSEC Authentication: HMAC-MD5
IPSEC Lifetime: 3600 sec
Port details:
"Customer to :
ICMP: echo and echo reply
FTP: TCP20
HTTP: TCP8002, 80
GEMS diags: TCP 7979
X-windows: TCP6000-6200
to Customer:
ICMP: echo and echo reply
FTP: TCP21
ssh: TCP22
Telnet: TCP23, 2327, 2328
HTTP: TCP80, 8080
Rexec: TCP512
VNC: TCP5800, 5900
MR firmware diagnostics: TCP8100"
tests#show cry isa sa | sec 1.1.1.1
1.1.1.1 145.146.147.148 MM_NO_STATE 0 0 ACTIVE
1.1.1.1 145.146.147.148 MM_NO_STATE 0 0 ACTIVE (deleted)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER