Solved

Why Doesn't This Cisco VPN Configuration Connect?

Posted on 2010-08-14
40
4,977 Views
Last Modified: 2012-06-27
Can anyone help tell me what's missing with this config? We have two 881 routers and setup the VPN but the connection never comes up. I've done the extended pings to test but no return and it doesn't show passing any traffic over the tunnel.

I'm assuming the issue is ACL related but I'm not sure what I'm missing. Below is the config for router A. Router B is configured the same except the ACL 101 addresses are flipped and the static IPs for the router, peer, and key are different as expected. I've also cutout some extra values that weren't relevant just to save space.

Thanks in advance!
no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname routerA

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

!

no aaa new-model

!

!

!

memory-size iomem 10

clock timezone PCTime -6

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-4052530123

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-4052530123

 revocation-check none

 rsakeypair TP-self-signed-4052530123

!

!

crypto pki certificate chain TP-self-signed-4052530123

 certificate self-signed 01

  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34303532 35333031 3233301E 170D3130 30373032 31363436

  34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30353235

  33303132 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100F22D 0AC7AE63 FBA6CF49 40D9C61F 011FDD8E 639F60FC 2B25561A 6A937BDD

  A7B536F7 F591C5F0 DB1EF660 8A78A9A3 3D2691D6 CCC36734 5B0EACFF 3788DAB0

  2335CE35 53135F2B 2FF130E3 CB8419E7 FCA12958 FA1576FC ABB149F2 0BACC389

  D039E324 12A848C1 D712BE68 09A100B3 8E972F9A 89E36682 88B375F0 A3B0805E

  BF670203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603

  551D1104 15301382 11727472 2D796F72 6B2E6266 70642E63 6F6D301F 0603551D

  23041830 16801436 AF01335D 581256E3 70C32023 FB4CA008 9ABDF030 1D060355

  1D0E0416 041436AF 01335D58 1256E370 C32023FB 4CA0089A BDF0300D 06092A86

  4886F70D 01010405 00038181 004ED8A0 19FE1545 31A4D819 39B491EF 0F1E829A

  1E2EC1B2 75AEA6F6 F20CD38C C1891C68 87271560 C8AC4561 791CF9EC 48CE9EB0

  4977D264 26057C7D D69A69BF 5EB82630 B9BC3249 605D889B 912C2650 20C909BC

  D2F2A77B 3AA02C39 90A3E82F 52FC04B9 91F7C194 A09C4E10 E8787538 9C89DFA9

  9929FEB7 517DEE55 B7CF0D63 36

        quit

no ip source-route

!

!

ip dhcp excluded-address 192.168.1.1 192.168.1.199

!

ip dhcp pool ccp-pool1

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 192.168.1.4 <pubdnsiphere>

!

!

ip cef

no ip bootp server

ip domain name bfpd.com

ip name-server <pubdnsiphere>

ip name-server <pubdnsiphere>

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn <snhere>

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto isakmp policy 1

 encr aes

 authentication pre-share

 group 5

crypto isakmp key ******** address <routerBaddresshere>

!

!

crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac

!

crypto map vpn 10 ipsec-isakmp

 set peer <routerBaddresshere>

 set transform-set esp-aes-sha

 match address 101

!

!

interface FastEthernet0

 !

!

interface FastEthernet1

 !

!

interface FastEthernet2

 !

!

interface FastEthernet3

 !

!

interface FastEthernet4

 description $FW_OUTSIDE$$ES_WAN$

 ip address <routerAaddresshere> 255.255.255.248

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip nat outside

 ip virtual-reassembly

 duplex auto

 speed auto

 crypto map vpn

 !

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

 ip address 192.168.1.1 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip nat inside

 ip virtual-reassembly

 ip tcp adjust-mss 1452

 !

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.3 1723 interface FastEthernet4 1723

ip nat inside source static tcp 192.168.1.1 22 interface FastEthernet4 22

ip nat inside source static tcp 192.168.1.3 80 interface FastEthernet4 80

ip nat inside source static tcp 192.168.1.3 3389 interface FastEthernet4 3389

ip nat inside source static tcp 192.168.1.3 47 interface FastEthernet4 47

ip nat inside source static udp 192.168.1.3 67 interface FastEthernet4 67

ip nat inside source static udp 192.168.1.3 68 interface FastEthernet4 68

ip nat inside source static udp 192.168.1.3 500 interface FastEthernet4 500

ip nat inside source static udp 192.168.1.3 4500 interface FastEthernet4 4500

ip route 0.0.0.0 0.0.0.0 68.166.90.41

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 69.3.229.0 0.0.0.255 any

access-list 100 permit gre any any

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

no cdp run

Open in new window

0
Comment
Question by:bluecc
  • 18
  • 18
  • 2
  • +1
40 Comments
 
LVL 1

Expert Comment

by:scarybot
Comment Utility
Could you post any errors / logs, also the result of a show crypto isakmp peers config, and show crypto session detail.

Thanks
0
 

Author Comment

by:bluecc
Comment Utility
Certainly. What logs can I provide for ya? Also, when I referece <routerBaddress> I do mean the public IP address, not local just to clarify.
rtr-york#sh crypto isakmp peers config

rtr-york#sh crypt
rtr-york#sh crypto sess
rtr-york#sh crypto session det
rtr-york#sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet4
Session status: DOWN
Peer: <routerBaddress> port 500 fvrf: (none) ivrf: (none)
      Desc: (none)
      Phase1_id: (none)
  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.4.0/255.255.255.0
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Open in new window

0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
One thing is in your comments you mentioned what was different on each router and you mentioned the key.   I am assuming you are talking about the pre-shared key for the crypto peer.  That needs to be the same.  I'm thinking you know that and just mistakenly typed that.  But just want to cover all bases here.  The key is the same on both routers

What I see is that you have a nat rule that xlates everything  from the inside to the fa4 interface address.  However, for things that go across the vpn you don't want it to nat since your vpn rules state traffic from 192.168.1.0 to 192.168.4.  Well what is happening right now is that when you are on the 192.168.1.x network and send traffic to the .4 network, the 192.168.1.x is translated into the fa4 interface ip which doesn't match the rule on the other side.  You need to set it up so that 192.168.1.x network does not translate when going to 192.168.4.x.

I'll see if I can find a quick example of this.
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Look at Router 2 in this example it shows how to do this.

Hope that helps.
0
 
LVL 1

Expert Comment

by:scarybot
Comment Utility
I think he's got it.
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
access-list 1 should look like this:

access-list 1 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 1 permit ip 192.168.1.0 0.0.0.255 any
!
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility

try the below commands in router A , after that get the show crypto ipsec sa while testing

no access-list 1 permit 192.168.1.0 0.0.0.255

access-list 111  deny  ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111  permit   ip 192.168.1.0 0.0.0.255 any
no ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 111  interface FastEthernet4 overload




0
 

Author Comment

by:bluecc
Comment Utility
Ken,

Thanks for heading me in the right direction. That command won't work without an extended ACL though, right?

Anoopkmr,

Can I apply that remotely or will it disconnect me?
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
u can  try it remotely

let me know the status
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
Yea you just need to make the access-list 111  instead of 1 like anoopkmr said instead of 1.  And it will take.  I always set the remote routers up so that I can ssh to the outside interface while I am testing this.  That way you have a way in from the internet while you get this working without affecting the tunnel.
0
 

Author Comment

by:bluecc
Comment Utility
Ok, I was able to apply those commands. I assumed I'd also have to change the code below for the match line to be match address 111 instead of 101, correct?

I was able to do that on RouterB but when I applied it to A it dropped my connection. Any thoughts?
crypto map vpn 10 ipsec-isakmp
 set peer <routerBaddresshere>
 set transform-set esp-aes-sha
 match address 101

Open in new window

0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
no you do not change the match address command.

Access list 101 defines what traffic goes across the tunnel

Access-list 1 or now 111 defines what traffic gets NAtted or not.



So in your config what we are changing is this:

ip nat inside source list 1 interface FastEthernet4 overload

This references access-list 1 which now needs to be changed to 111

The match address 101 statement needs to stay put and we do not want to change access-list 101.

0
 

Author Comment

by:bluecc
Comment Utility
Ok, I made sure that was right. Now when I do a sh crypto session I see the interface FE4 Session Status as DOWN-NEGOTIATING on both routers.

On router A when I did a test ping and then sh crypto ipsec sa the only traffic is send errors and it's consistently incrementing.

Any thoughts what else I can check?
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
so you will need to run this:

term mon
debug crypto isakmp sa

You might not have to put "sa" on the end - I can't remember - and then log the output when you try to send traffic across the tunnel.  

How about posted the newly revised config on each end so we can look at a fresh copy now.
0
 

Author Comment

by:bluecc
Comment Utility
Ken,

Thanks for hanging in there with me. Below is the output from the debug covering a bit over a minute:
000158: *Aug 14 20:24:50.501 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
000159: *Aug 14 20:24:50.501 PCTime: ISAKMP:(0): sending packet to <ROUTERBIPADDESS> my_port 500 peer_port 500 (I) MM_NO_STATE
000160: *Aug 14 20:24:50.501 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000161: *Aug 14 20:25:00.501 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
000162: *Aug 14 20:25:00.501 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
000163: *Aug 14 20:25:00.501 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
000164: *Aug 14 20:25:00.501 PCTime: ISAKMP:(0): sending packet to <ROUTERBIPADDESS> my_port 500 peer_port 500 (I) MM_NO_STATE
000165: *Aug 14 20:25:00.501 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000166: *Aug 14 20:25:10.497 PCTime: ISAKMP: set new node 0 to QM_IDLE
000167: *Aug 14 20:25:10.501 PCTime: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <ROUTERAIPADDESS>, remote <ROUTERBIPADDESS>)
000168: *Aug 14 20:25:10.501 PCTime: ISAKMP: Error while processing SA request: Failed to initialize SA
000169: *Aug 14 20:25:10.501 PCTime: ISAKMP: Error while processing KMI message 0, error 2.
000170: *Aug 14 20:25:10.501 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
000171: *Aug 14 20:25:10.501 PCTime: ISAKMP:(0):peer does not do paranoid keepalives.

000172: *Aug 14 20:25:10.501 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <ROUTERBIPADDESS>)
000173: *Aug 14 20:25:10.501 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <ROUTERBIPADDESS>)
000174: *Aug 14 20:25:10.501 PCTime: ISAKMP: Unlocking peer struct 0x86582730 for isadb_mark_sa_deleted(), count 0
000175: *Aug 14 20:25:10.501 PCTime: ISAKMP: Deleting peer node by peer_reap for <ROUTERBIPADDESS>: 86582730
000176: *Aug 14 20:25:10.501 PCTime: ISAKMP:(0):deleting node -1164184059 error FALSE reason "IKE deleted"
000177: *Aug 14 20:25:10.501 PCTime: ISAKMP:(0):deleting node 2041297968 error FALSE reason "IKE deleted"
000178: *Aug 14 20:25:10.501 PCTime: ISAKMP:(0):deleting node -1099857084 error FALSE reason "IKE deleted"
000179: *Aug 14 20:25:10.501 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
000180: *Aug 14 20:25:10.501 PCTime: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

000181: *Aug 14 20:25:40.497 PCTime: ISAKMP:(0): SA request profile is (NULL)
000182: *Aug 14 20:25:40.497 PCTime: ISAKMP: Created a peer struct for <ROUTERBIPADDESS>, peer port 500
000183: *Aug 14 20:25:40.497 PCTime: ISAKMP: New peer created peer = 0x86582730 peer_handle = 0x800000FF
000184: *Aug 14 20:25:40.497 PCTime: ISAKMP: Locking peer struct 0x86582730, refcount 1 for isakmp_initiator
000185: *Aug 14 20:25:40.497 PCTime: ISAKMP: local port 500, remote port 500
000186: *Aug 14 20:25:40.497 PCTime: ISAKMP: set new node 0 to QM_IDLE
000187: *Aug 14 20:25:40.497 PCTime: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 862D0C8C
000188: *Aug 14 20:25:40.497 PCTime: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000189: *Aug 14 20:25:40.497 PCTime: ISAKMP:(0):found peer pre-shared key matching <ROUTERBIPADDESS>
000190: *Aug 14 20:25:40.497 PCTime: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
000191: *Aug 14 20:25:40.497 PCTime: ISAKMP:(0): constructed NAT-T vendor-07 ID
000192: *Aug 14 20:25:40.497 PCTime: ISAKMP:(0): constructed NAT-T vendor-03 ID
000193: *Aug 14 20:25:40.497 PCTime: ISAKMP:(0): constructed NAT-T vendor-02 ID
000194: *Aug 14 20:25:40.497 PCTime: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
000195: *Aug 14 20:25:40.497 PCTime: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

000196: *Aug 14 20:25:40.497 PCTime: ISAKMP:(0): beginning Main Mode exchange
000197: *Aug 14 20:25:40.497 PCTime: ISAKMP:(0): sending packet to <ROUTERBIPADDESS> my_port 500 peer_port 500 (I) MM_NO_STATE
000198: *Aug 14 20:25:40.497 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000199: *Aug 14 20:25:50.497 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
000200: *Aug 14 20:25:50.497 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
000201: *Aug 14 20:25:50.497 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
000202: *Aug 14 20:25:50.497 PCTime: ISAKMP:(0): sending packet to <ROUTERBIPADDESS> my_port 500 peer_port 500 (I) MM_NO_STATE
000203: *Aug 14 20:25:50.497 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000204: *Aug 14 20:26:00.497 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
000205: *Aug 14 20:26:00.497 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
000206: *Aug 14 20:26:00.497 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
000207: *Aug 14 20:26:00.497 PCTime: ISAKMP:(0): sending packet to <ROUTERBIPADDESS> my_port 500 peer_port 500 (I) MM_NO_STATE
000208: *Aug 14 20:26:00.497 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000209: *Aug 14 20:26:00.501 PCTime: ISAKMP:(0):purging node -1164184059
000210: *Aug 14 20:26:00.501 PCTime: ISAKMP:(0):purging node 2041297968
000211: *Aug 14 20:26:00.501 PCTime: ISAKMP:(0):purging node -1099857084
000212: *Aug 14 20:26:10.497 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
000213: *Aug 14 20:26:10.497 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
000214: *Aug 14 20:26:10.497 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
000215: *Aug 14 20:26:10.497 PCTime: ISAKMP:(0): sending packet to <ROUTERBIPADDESS> my_port 500 peer_port 500 (I) MM_NO_STATE
000216: *Aug 14 20:26:10.497 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000217: *Aug 14 20:26:10.497 PCTime: ISAKMP: set new node 0 to QM_IDLE
000218: *Aug 14 20:26:10.501 PCTime: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <ROUTERAIPADDESS>, remote <ROUTERBIPADDESS>)
000219: *Aug 14 20:26:10.501 PCTime: ISAKMP: Error while processing SA request: Failed to initialize SA
000220: *Aug 14 20:26:10.501 PCTime: ISAKMP: Error while processing KMI message 0, error 2.
000221: *Aug 14 20:26:10.501 PCTime: ISAKMP:(0):purging SA., sa=862AA474, delme=862AA474

000222: *Aug 14 20:26:20.497 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
000223: *Aug 14 20:26:20.497 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
000224: *Aug 14 20:26:20.497 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
000225: *Aug 14 20:26:20.497 PCTime: ISAKMP:(0): sending packet to <ROUTERBIPADDESS> my_port 500 peer_port 500 (I) MM_NO_STATE
000226: *Aug 14 20:26:20.497 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.all

Open in new window

0
 

Author Comment

by:bluecc
Comment Utility
Below are Router A and Router B configs. Thanks again for the help everyone.
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname <ROUTERA>
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
!
no aaa new-model
!
!
!
memory-size iomem 10
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-4052530123
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4052530123
 revocation-check none
 rsakeypair TP-self-signed-4052530123
!
!
crypto pki certificate chain TP-self-signed-4052530123
 certificate self-signed 01
  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34303532 35333031 3233301E 170D3130 30373032 31363436
  34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30353235
  33303132 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100F22D 0AC7AE63 FBA6CF49 40D9C61F 011FDD8E 639F60FC 2B25561A 6A937BDD
  A7B536F7 F591C5F0 DB1EF660 8A78A9A3 3D2691D6 CCC36734 5B0EACFF 3788DAB0
  2335CE35 53135F2B 2FF130E3 CB8419E7 FCA12958 FA1576FC ABB149F2 0BACC389
  D039E324 12A848C1 D712BE68 09A100B3 8E972F9A 89E36682 88B375F0 A3B0805E
  BF670203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
  551D1104 15301382 11727472 2D796F72 6B2E6266 70642E63 6F6D301F 0603551D
  23041830 16801436 AF01335D 581256E3 70C32023 FB4CA008 9ABDF030 1D060355
  1D0E0416 041436AF 01335D58 1256E370 C32023FB 4CA0089A BDF0300D 06092A86
  4886F70D 01010405 00038181 004ED8A0 19FE1545 31A4D819 39B491EF 0F1E829A
  1E2EC1B2 75AEA6F6 F20CD38C C1891C68 87271560 C8AC4561 791CF9EC 48CE9EB0
  4977D264 26057C7D D69A69BF 5EB82630 B9BC3249 605D889B 912C2650 20C909BC
  D2F2A77B 3AA02C39 90A3E82F 52FC04B9 91F7C194 A09C4E10 E8787538 9C89DFA9
  9929FEB7 517DEE55 B7CF0D63 36
        quit
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.199
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 192.168.1.4 64.105.179.138
!
!
ip cef
no ip bootp server
ip domain name bfpd.com
ip name-server <DNS1>
ip name-server <DNS2>
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn 
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
crypto isakmp key ****** address <ROUTERBADDRESS>
!
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
 set peer <ROUTERBADDRESS>
 set transform-set esp-aes-sha
 match address 101
!
!
!
!
!
interface FastEthernet0
 !
!
interface FastEthernet1
 !
!
interface FastEthernet2
 !
!
interface FastEthernet3
 !
!
interface FastEthernet4
 description $FW_OUTSIDE$$ES_WAN$
 ip address <ROUTERAADDRESS> 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpn
 !
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 !
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.1.3 1723 interface FastEthernet4 1723
ip nat inside source static tcp 192.168.1.1 22 interface FastEthernet4 22
ip nat inside source static tcp 192.168.1.3 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.3 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.3 47 interface FastEthernet4 47
ip nat inside source static udp 192.168.1.3 67 interface FastEthernet4 67
ip nat inside source static udp 192.168.1.3 68 interface FastEthernet4 68
ip nat inside source static udp 192.168.1.3 500 interface FastEthernet4 500
ip nat inside source static udp 192.168.1.3 4500 interface FastEthernet4 4500
ip nat inside source list 111 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 <GATEWAY>
!
logging trap debugging
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 69.3.229.0 0.0.0.255 any
access-list 100 permit gre any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
no cdp run

!
!
!
!
!
control-plane
 !
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end


no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname <ROUTERB>
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
!
no aaa new-model
!
!
!
memory-size iomem 10
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3533576425
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3533576425
 revocation-check none
 rsakeypair TP-self-signed-3533576425
!
!
crypto pki certificate chain TP-self-signed-3533576425
 certificate self-signed 01
  3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33353333 35373634 3235301E 170D3130 30373134 30313239
  31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35333335
  37363432 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B7A1 950DFF3E 1E8A9508 9D9F489D 4E96C2DF 3AD50ACF FB48782C F56B3DBF
  B0949CBA CC66EF3E 9F3C863C 4977219F A24E6893 4DCEF376 E663E6A2 3A5EA509
  F9974901 9A5F5967 81E61DDB CEFF7B36 802F28AA 3F582903 2228D85B 0FD1269A
  7214A404 9AB96F94 31663C9A 14DA8563 1CAA31BF D23BE567 8F1D08D8 A96CA0B0
  3C230203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603
  551D1104 16301482 12727472 2D666F73 7465722E 6266642E 636F6D30 1F060355
  1D230418 30168014 47B39DE3 A3E0A4C2 80447A33 95F1ED95 51BC786A 301D0603
  551D0E04 16041447 B39DE3A3 E0A4C280 447A3395 F1ED9551 BC786A30 0D06092A
  864886F7 0D010104 05000381 81008707 65F450D5 433B5233 0B339846 C0A791D9
  DD420C51 2026999B FB4E4F41 CC8F1F5C 447B3C0D 26039E20 EF371E97 6E34CDB9
  7C8A4B80 48FA0C00 BF547BF2 2FE638B8 12EB7A8B F64C348C 2902B3EA 17698397
  3AB646FF 6668B6A0 15AE8B39 A1076EF5 E8AE68BE 861C93CE 59B57400 D01BB7FE
  9E223D22 72F4BD77 3D49C31A 7B6D
        quit
no ip source-route
!
!
ip dhcp excluded-address 192.168.4.1 192.168.4.199
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.4.0 255.255.255.0
   dns-server 64.105.189.26 64.105.179.138
   default-router 192.168.4.1
!
!
ip cef
no ip bootp server
ip domain name bfd.com
ip name-server <DNS1>
ip name-server <DNS2>
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn 
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
crypto isakmp key kaiD4le1b address <ROUTERAADDRESS>
!
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
 set peer <ROUTERAADDRESS>
 set transform-set esp-aes-sha
 match address 101
!
!
!
!
!
interface FastEthernet0
 !
!
interface FastEthernet1
 !
!
interface FastEthernet2
 !
!
interface FastEthernet3
 !
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address <ROUTERBADDRESS> 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpn
 !
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.4.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 !
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 111 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 <GATEWAY>
!
logging trap debugging
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 68.166.95.208 0.0.0.7 any
access-list 100 permit gre any any
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 deny   ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip 192.168.4.0 0.0.0.255 any
no cdp run

!
!
!
!
!
control-plane
 !
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
Not sure what your problem is at this point.  The config looks good.  The debug does not look like the keys don't match, you generally get a different message if the keys have a typo or something.  It looks like the tunnel comes up as I see it go to qm-idle state which is good, but it looks like it is having a problem with the security association.   The config looks good to me right now, nothing is glaring at me being the problem.  The security associations is what the ipsec stuff is referencing with your access-lists.  Perhaps things just got hosed up when you changed the ACLS and the routers need a reboot.  I would give that a try and see what happens unless anyone sees anything else.
0
 

Author Comment

by:bluecc
Comment Utility
I just tried a reload on both of the routers but didn't have any luck. They're still showing Down with Send errors on the 'sh crypto ipsec session'. Here's the sh crypto session. Anything else I can try?

#sh crypto session
Crypto session current status

Interface: FastEthernet4
Session status: DOWN
Peer: <ROUTERB> port 500
  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.4.0/255.255.255.0
        Active SAs: 0, origin: crypto map
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
At this point I'm not sure why its not working.  These are things I would try:

Removing and re-adding the following crypto statement on each router:

crypto isakmp key kaiD4le1b address <ROUTERAADDRESS>

I would put this in notepad, copy it replace the router address on the second one and paste the appropriate line back into each config.  This guarantees no typos in the pre-shared key.

Secondly, you might want to add this:

crypto ipsec security-association lifetime seconds 86400


then see what happens.
0
 

Author Comment

by:bluecc
Comment Utility
Ken,

Just following up to say I tried those two items to no avail. I'm stumped. Hopefully someone can jump in with us.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
000166: *Aug 14 20:25:10.497 PCTime: ISAKMP: set new node 0 to QM_IDLE
000167: *Aug 14 20:25:10.501 PCTime: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <ROUTERAIPADDESS>, remote <ROUTERBIPADDESS>)
000168: *Aug 14 20:25:10.501 PCTime: ISAKMP: Error while processing SA request: Failed to initialize SA


This part of the debug shows that isakmp went to qm_idle state which is good, the the last line stating that there is an error while processing the SA.  The SA is the security associations.  That is the piece that says this ip address can talk to that ip address across this tunnel.  This relates directly to access-list 101.  The two access-lists on each router have to match but be the reciprical of each other.  You access-list looks good.

The only other thing you might try is remove all configurations dealing with the tunnel on one router give it a reboot and then re-configure it.  It might be something in the SA table that is screwed up.  Either that or there is something really really simple that is staring me in the face and I just can't see it.
0
 

Author Comment

by:bluecc
Comment Utility
I've tried different encryption methods now, switching between aes and 3des to no avail. I've also changed the following but no luck:

ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 <GATEWAYIP>
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit udp host <ROUTERBIP> any eq isakmp
access-list 111 permit esp host <ROUTERBIP> any
!
!
route-map nonat permit 10
 match ip address 111
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
One other thought here.  What IOS version is running on each router?
0
 

Author Comment

by:bluecc
Comment Utility
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.0(1)M2, RELEASE SOFTWARE (fc2)

System image file is "flash:c880data-universalk9-mz.150-1.M2.bin"
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
Do you have smartnet on this?
0
 

Author Comment

by:bluecc
Comment Utility
Unfortunately not. I called the ISP as I wanted to make sure there was nothing blocking on their end. They took a look at the config and said after reviewing they see that the config would not work but didn't want to say anything further without a huge fee. So I'm guessing we're close but overlooking something. I just don't know what after reviewing and comparing to those Cisco examples. The only difference I can think of is that we're using Vlans.
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
Actually, now that you mention ISP.  I have seen this scenario twice before where the ISAKMP would connect but the IPSEC traffic would not pass and it was the ISP's fault.

So what you need to do is this.

Create an ACl that like this:

access-list 120 permit udp host rtrB-ip host rtrA-ip eq isakmp log
access-list 120 permit esp host rtrB-ip host rtrA-ip log
access-list 120 permit ip any any

Then apply this to the outside interface on rtra for packets inbound.

Then do the same but reversed on rtrb.

The "log" parameter will log the hits against the access-list.

So then try to connect again and see if you are seeing any ESP packets.  If not its getting blocked somewhere.

0
 

Author Comment

by:bluecc
Comment Utility
Here's what I have for the ACLs now:

access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit udp host <ROUTERBIP> any eq isakmp log
access-list 111 permit esp host <ROUTERBIP> any log

Here's what I get on debug isakmp and ipsec when I do a ping from A to B:

000695: *Aug 27 08:28:04.382 PCTime: ISAKMP (0): received packet from <ROUTERA> dport 500 sport 500 Global (N) NEW SA
000696: *Aug 27 08:28:04.382 PCTime: ISAKMP: Created a peer struct for <ROUTERA>, peer port 500
000697: *Aug 27 08:28:04.382 PCTime: ISAKMP: New peer created peer = 0x85192EEC peer_handle = 0x80000669
000698: *Aug 27 08:28:04.382 PCTime: ISAKMP: Locking peer struct 0x85192EEC, refcount 1 for crypto_isakmp_process_block
000699: *Aug 27 08:28:04.382 PCTime: ISAKMP: local port 500, remote port 500
000700: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):insert sa successfully sa = 86203154
000701: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000702: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

000703: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0): processing SA payload. message ID = 0
000704: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):found peer pre-shared key matching <ROUTERA>
000705: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0): local preshared key found
000706: *Aug 27 08:28:04.382 PCTime: ISAKMP : Scanning profiles for xauth ...
000707: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
000708: *Aug 27 08:28:04.382 PCTime: ISAKMP:      encryption AES-CBC
000709: *Aug 27 08:28:04.382 PCTime: ISAKMP:      keylength of 128
000710: *Aug 27 08:28:04.382 PCTime: ISAKMP:      hash SHA
000711: *Aug 27 08:28:04.382 PCTime: ISAKMP:      default group 5
000712: *Aug 27 08:28:04.382 PCTime: ISAKMP:      auth pre-share
000713: *Aug 27 08:28:04.382 PCTime: ISAKMP:      life type in seconds
000714: *Aug 27 08:28:04.382 PCTime: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
000715: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):atts are acceptable. Next payload is 0
000716: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Acceptable atts:actual life: 0
000717: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Acceptable atts:life: 0
000718: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Fill atts in sa vpi_length:4
000719: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
000720: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Returning Actual lifetime: 86400
000721: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0)::Started lifetime timer: 86400.

000722: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000723: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

000724: *Aug 27 08:28:04.386 PCTime: ISAKMP:(0): sending packet to <ROUTERA> my_port 500 peer_port 500 (R) MM_SA_SETUP
000725: *Aug 27 08:28:04.386 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000726: *Aug 27 08:28:04.386 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000727: *Aug 27 08:28:04.386 PCTime: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

000728: *Aug 27 08:28:14.370 PCTime: ISAKMP (0): received packet from <ROUTERA> dport 500 sport 500 Global (R) MM_SA_SETUP
000729: *Aug 27 08:28:14.370 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000730: *Aug 27 08:28:14.370 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000731: *Aug 27 08:28:14.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000732: *Aug 27 08:28:14.870 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
000733: *Aug 27 08:28:14.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000734: *Aug 27 08:28:14.870 PCTime: ISAKMP:(0): sending packet to <ROUTERA> my_port 500 peer_port 500 (R) MM_SA_SETUP
000735: *Aug 27 08:28:14.870 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000736: *Aug 27 08:28:24.374 PCTime: ISAKMP (0): received packet from <ROUTERA> dport 500 sport 500 Global (R) MM_SA_SETUP
000737: *Aug 27 08:28:24.374 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000738: *Aug 27 08:28:24.374 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000739: *Aug 27 08:28:24.874 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000740: *Aug 27 08:28:24.874 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
000741: *Aug 27 08:28:24.874 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000742: *Aug 27 08:28:24.874 PCTime: ISAKMP:(0): sending packet to <ROUTERA> my_port 500 peer_port 500 (R) MM_SA_SETUP
000743: *Aug 27 08:28:24.874 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000744: *Aug 27 08:28:34.370 PCTime: ISAKMP (0): received packet from <ROUTERA> dport 500 sport 500 Global (R) MM_SA_SETUP
000745: *Aug 27 08:28:34.370 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000746: *Aug 27 08:28:34.370 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000747: *Aug 27 08:28:34.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000748: *Aug 27 08:28:34.870 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
000749: *Aug 27 08:28:34.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000750: *Aug 27 08:28:34.870 PCTime: ISAKMP:(0): sending packet to <ROUTERA> my_port 500 peer_port 500 (R) MM_SA_SETUP
000751: *Aug 27 08:28:34.870 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000752: *Aug 27 08:28:44.374 PCTime: ISAKMP (0): received packet from <ROUTERA> dport 500 sport 500 Global (R) MM_SA_SETUP
000753: *Aug 27 08:28:44.374 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000754: *Aug 27 08:28:44.374 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000755: *Aug 27 08:28:44.874 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000756: *Aug 27 08:28:44.874 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
000757: *Aug 27 08:28:44.874 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000758: *Aug 27 08:28:44.874 PCTime: ISAKMP:(0): sending packet to <ROUTERA> my_port 500 peer_port 500 (R) MM_SA_SETUP
000759: *Aug 27 08:28:44.874 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000760: *Aug 27 08:28:54.370 PCTime: ISAKMP (0): received packet from <ROUTERA> dport 500 sport 500 Global (R) MM_SA_SETUP
000761: *Aug 27 08:28:54.370 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000762: *Aug 27 08:28:54.370 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000763: *Aug 27 08:28:54.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000764: *Aug 27 08:28:54.870 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
000765: *Aug 27 08:28:54.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000766: *Aug 27 08:28:54.870 PCTime: ISAKMP:(0): sending packet to <ROUTERA> my_port 500 peer_port 500 (R) MM_SA_SETUP
000767: *Aug 27 08:28:54.870 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000768: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000769: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0):peer does not do paranoid keepalives.

000770: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer <ROUTERA>)
000771: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer <ROUTERA>)
000772: *Aug 27 08:29:04.870 PCTime: ISAKMP: Unlocking peer struct 0x85192EEC for isadb_mark_sa_deleted(), count 0
000773: *Aug 27 08:29:04.870 PCTime: ISAKMP: Deleting peer node by peer_reap for <ROUTERA>: 85192EEC
000774: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
000775: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_DEST_SA

000776: *Aug 27 08:29:04.870 PCTime: IPSEC(key_engine): got a queue event with 1 KMI message(s)
000777: *Aug 27 08:30:04.870 PCTime: ISAKMP:(0):purging SA., sa=86203154, delme=86203154

Open in new window

0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
Thats not exactly what I mean by the ACL setup.

acl 111 should only be this:

access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any

This ACL only defines what is allowed to NAT when going out the interface and thats it.  So this is all you need for ACL 111.  It should only be referenced in 1 place and that is in this command:

ip nat inside source list 111 interface FastEthernet4 overload


Thats it.  Don't change 111 from that.

Create another ACL like this:

access-list 120 permit udp host rtrB-ip host rtrA-ip eq isakmp log
access-list 120 permit esp host rtrB-ip host rtrA-ip log
access-list 120 permit ip any any

Then apply this new acl to the outside interface

Interface fastethernet4
ip access-group 120 in

Then when you start the tunnel, you can see if you are taking hits on both the udp isakmp packets as well as the esp packets if you do a show access-list 120 after you try to make the connection.

You need to do this on both sides.
0
 

Author Comment

by:bluecc
Comment Utility
Ok, got it. I made those ACL changes and verified. But as soon as I did Interface fastethernet4
ip access-group 120 in it dropped the Internet connection.
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
You included the permit ip any any at the end of it right?
0
 

Author Comment

by:bluecc
Comment Utility
I had screwed that up. Didn't have enough coffee this morning. But, all normal now and here are the logs from pinging ROUTERA to ROUTERB. You'll see a few packets showing up from the new log message.

ROUTERA:

Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1

000166: *Aug 27 16:12:12.139 PCTime: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= <ROUTERA>, remote= <ROUTERB>,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 86400s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
000167: *Aug 27 16:12:12.139 PCTime: ISAKMP:(0): SA request profile is (NULL)
000168: *Aug 27 16:12:12.139 PCTime: ISAKMP: Created a peer struct for <ROUTERB>, peer port 500
000169: *Aug 27 16:12:12.139 PCTime: ISAKMP: New peer created peer = 0x85F4132C peer_handle = 0x80000004
000170: *Aug 27 16:12:12.139 PCTime: ISAKMP: Locking peer struct 0x85F4132C, refcount 1 for isakmp_initiator
000171: *Aug 27 16:12:12.139 PCTime: ISAKMP: local port 500, remote port 500
000172: *Aug 27 16:12:12.139 PCTime: ISAKMP: set new node 0 to QM_IDLE
000173: *Aug 27 16:12:12.139 PCTime: ISAKMP:(0):insert sa successfully sa = 8608CF60
000174: *Aug 27 16:12:12.139 PCTime: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000175: *Aug 27 16:12:12.139 PCTime: ISAKMP:(0):found peer pre-shared key matching <ROUTERB>
000176: *Aug 27 16:12:12.139 PCTime: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
000177: *Aug 27 16:12:12.139 PCTime: ISAKMP:(0): constructed NAT-T vendor-07 ID
000178: *Aug 27 16:12:12.139 PCTime: ISAKMP:(0): constructed NAT-T vendor-03 ID
000179: *Aug 27 16:12:12.139 PCTime: ISAKMP:(0): constructed NAT-T vendor-02 ID
000180: *Aug 27 16:12:12.139 PCTime: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
000181: *Aug 27 16:12:12.139 PCTime: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

000182: *Aug 27 16:12:12.139 PCTime: ISAKMP:(0): beginning Main Mode exchange
000183: *Aug 27 16:12:12.139 PCTime: ISAKMP:(0): sending packet to <ROUTERB> my_port 500 peer_port 500 (I) MM_NO_STATE
000184: *Aug 27 16:12:12.139 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
<ROUTERA>#
000185: *Aug 27 16:12:22.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
000186: *Aug 27 16:12:22.139 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
000187: *Aug 27 16:12:22.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
000188: *Aug 27 16:12:22.139 PCTime: ISAKMP:(0): sending packet to <ROUTERB> my_port 500 peer_port 500 (I) MM_NO_STATE
000189: *Aug 27 16:12:22.139 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000190: *Aug 27 16:12:32.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
000191: *Aug 27 16:12:32.139 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
000192: *Aug 27 16:12:32.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
000193: *Aug 27 16:12:32.139 PCTime: ISAKMP:(0): sending packet to <ROUTERB> my_port 500 peer_port 500 (I) MM_NO_STATE
000194: *Aug 27 16:12:32.139 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000195: *Aug 27 16:12:42.139 PCTime: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= <ROUTERA>, remote= <ROUTERB>,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4)
000196: *Aug 27 16:12:42.139 PCTime: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= <ROUTERA>, remote= <ROUTERB>,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 86400s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
000197: *Aug 27 16:12:42.139 PCTime: ISAKMP: set new node 0 to QM_IDLE
000198: *Aug 27 16:12:42.139 PCTime: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <ROUTERA>, remote <ROUTERB>)
000199: *Aug 27 16:12:42.139 PCTime: ISAKMP: Error while processing SA request: Failed to initialize SA
000200: *Aug 27 16:12:42.139 PCTime: ISAKMP: Error while processing KMI message 0, error 2.
000201: *Aug 27 16:12:42.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
000202: *Aug 27 16:12:42.139 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
000203: *Aug 27 16:12:42.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
000204: *Aug 27 16:12:42.139 PCTime: ISAKMP:(0): sending packet to <ROUTERB> my_port 500 peer_port 500 (I) MM_NO_STATE
000205: *Aug 27 16:12:42.139 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000206: *Aug 27 16:12:49.515 PCTime: %SEC-6-IPACCESSLOGP: list 120 permitted udp <ROUTERB>(500) -> <ROUTERA>(500), 15 packets
000207: *Aug 27 16:12:52.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
000208: *Aug 27 16:12:52.139 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
000209: *Aug 27 16:12:52.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
000210: *Aug 27 16:12:52.139 PCTime: ISAKMP:(0): sending packet to <ROUTERB> my_port 500 peer_port 500 (I) MM_NO_STATE
000211: *Aug 27 16:12:52.139 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000212: *Aug 27 16:13:02.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
000213: *Aug 27 16:13:02.139 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
000214: *Aug 27 16:13:02.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
000215: *Aug 27 16:13:02.139 PCTime: ISAKMP:(0): sending packet to <ROUTERB> my_port 500 peer_port 500 (I) MM_NO_STATE
000216: *Aug 27 16:13:02.139 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000217: *Aug 27 16:13:12.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
000218: *Aug 27 16:13:12.139 PCTime: ISAKMP:(0):peer does not do paranoid keepalives.

000219: *Aug 27 16:13:12.139 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <ROUTERB>)
000220: *Aug 27 16:13:12.139 PCTime: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= <ROUTERA>, remote= <ROUTERB>,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4)
000221: *Aug 27 16:13:12.139 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <ROUTERB>)
000222: *Aug 27 16:13:12.139 PCTime: ISAKMP: Unlocking peer struct 0x85F4132C for isadb_mark_sa_deleted(), count 0
000223: *Aug 27 16:13:12.139 PCTime: ISAKMP: Deleting peer node by peer_reap for <ROUTERB>: 85F4132C
000224: *Aug 27 16:13:12.139 PCTime: ISAKMP:(0):deleting node -1690877897 error FALSE reason "IKE deleted"
000225: *Aug 27 16:13:12.139 PCTime: ISAKMP:(0):deleting node -1585321372 error FALSE reason "IKE deleted"
000226: *Aug 27 16:13:12.139 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
000227: *Aug 27 16:13:12.139 PCTime: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

000228: *Aug 27 16:13:12.139 PCTime: IPSEC(key_engine): got a queue event with 1 KMI message(s)







ROUTERB

001227: *Aug 27 16:12:29.508 PCTime: %SEC-6-IPACCESSLOGP: list 120 permitted udp <ROUTERA>(500) -> <ROUTERB>(500), 11 packets
001228: *Aug 27 16:12:30.432 PCTime: ISAKMP (0): received packet from <ROUTERA> dport 500 sport 500 Global (N) NEW SA
001229: *Aug 27 16:12:30.432 PCTime: ISAKMP: Created a peer struct for <ROUTERA>, peer port 500
001230: *Aug 27 16:12:30.432 PCTime: ISAKMP: New peer created peer = 0x866D005C peer_handle = 0x80000673
001231: *Aug 27 16:12:30.432 PCTime: ISAKMP: Locking peer struct 0x866D005C, refcount 1 for crypto_isakmp_process_block
001232: *Aug 27 16:12:30.432 PCTime: ISAKMP: local port 500, remote port 500
001233: *Aug 27 16:12:30.432 PCTime: ISAKMP:(0):insert sa successfully sa = 8666D624
001234: *Aug 27 16:12:30.432 PCTime: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
001235: *Aug 27 16:12:30.432 PCTime: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

001236: *Aug 27 16:12:30.432 PCTime: ISAKMP:(0): processing SA payload. message ID = 0
001237: *Aug 27 16:12:30.432 PCTime: ISAKMP:(0): processing vendor id payload
001238: *Aug 27 16:12:30.432 PCTime: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
001239: *Aug 27 16:12:30.432 PCTime: ISAKMP (0): vendor ID is NAT-T RFC 3947
001240: *Aug 27 16:12:30.432 PCTime: ISAKMP:(0): processing vendor id payload
001241: *Aug 27 16:12:30.432 PCTime: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
001242: *Aug 27 16:12:30.432 PCTime: ISAKMP (0): vendor ID is NAT-T v7
001243: *Aug 27 16:12:30.432 PCTime: ISAKMP:(0): processing vendor id payload
001244: *Aug 27 16:12:30.432 PCTime: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
001245: *Aug 27 16:12:30.432 PCTime: ISAKMP:(0): vendor ID is NAT-T v3
001246: *Aug 27 16:12:30.432 PCTime: ISAKMP:(0): processing vendor id payload
001247: *Aug 27 16:12:30.432 PCTime: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
001248: *Aug 27 16:12:30.432 PCTime: ISAKMP:(0): vendor ID is NAT-T v2
001249: *Aug 27 16:12:30.432 PCTime: ISAKMP:(0):found peer pre-shared key matching <ROUTERA>
001250: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0): local preshared key found
001251: *Aug 27 16:12:30.436 PCTime: ISAKMP : Scanning profiles for xauth ...
001252: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
001253: *Aug 27 16:12:30.436 PCTime: ISAKMP:      encryption AES-CBC
001254: *Aug 27 16:12:30.436 PCTime: ISAKMP:      keylength of 128
001255: *Aug 27 16:12:30.436 PCTime: ISAKMP:      hash SHA
001256: *Aug 27 16:12:30.436 PCTime: ISAKMP:      default group 5
001257: *Aug 27 16:12:30.436 PCTime: ISAKMP:      auth pre-share
001258: *Aug 27 16:12:30.436 PCTime: ISAKMP:      life type in seconds
001259: *Aug 27 16:12:30.436 PCTime: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
001260: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0):atts are acceptable. Next payload is 0
001261: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0):Acceptable atts:actual life: 0
001262: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0):Acceptable atts:life: 0
001263: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0):Fill atts in sa vpi_length:4
001264: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
001265: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0):Returning Actual lifetime: 86400
001266: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0)::Started lifetime timer: 86400.

001267: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0): processing vendor id payload
001268: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
001269: *Aug 27 16:12:30.436 PCTime: ISAKMP (0): vendor ID is NAT-T RFC 3947
001270: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0): processing vendor id payload
001271: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
001272: *Aug 27 16:12:30.436 PCTime: ISAKMP (0): vendor ID is NAT-T v7
001273: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0): processing vendor id payload
001274: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
001275: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0): vendor ID is NAT-T v3
001276: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0): processing vendor id payload
001277: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
001278: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0): vendor ID is NAT-T v2
001279: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
001280: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

001281: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
001282: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0): sending packet to <ROUTERA> my_port 500 peer_port 500 (R) MM_SA_SETUP
001283: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001284: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
001285: *Aug 27 16:12:30.436 PCTime: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

001286: *Aug 27 16:12:40.432 PCTime: ISAKMP (0): received packet from <ROUTERA> dport 500 sport 500 Global (R) MM_SA_SETUP
001287: *Aug 27 16:12:40.432 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
001288: *Aug 27 16:12:40.432 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
001289: *Aug 27 16:12:40.932 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
001290: *Aug 27 16:12:40.932 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
001291: *Aug 27 16:12:40.932 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
001292: *Aug 27 16:12:40.932 PCTime: ISAKMP:(0): sending packet to <ROUTERA> my_port 500 peer_port 500 (R) MM_SA_SETUP
001293: *Aug 27 16:12:40.932 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001294: *Aug 27 16:12:50.428 PCTime: ISAKMP (0): received packet from <ROUTERA> dport 500 sport 500 Global (R) MM_SA_SETUP
001295: *Aug 27 16:12:50.428 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
001296: *Aug 27 16:12:50.428 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
001297: *Aug 27 16:12:50.928 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
001298: *Aug 27 16:12:50.928 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
001299: *Aug 27 16:12:50.928 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
001300: *Aug 27 16:12:50.928 PCTime: ISAKMP:(0): sending packet to <ROUTERA> my_port 500 peer_port 500 (R) MM_SA_SETUP
001301: *Aug 27 16:12:50.928 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001302: *Aug 27 16:13:00.432 PCTime: ISAKMP (0): received packet from <ROUTERA> dport 500 sport 500 Global (R) MM_SA_SETUP
001303: *Aug 27 16:13:00.432 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
001304: *Aug 27 16:13:00.432 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
001305: *Aug 27 16:13:00.932 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
001306: *Aug 27 16:13:00.932 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
001307: *Aug 27 16:13:00.932 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
001308: *Aug 27 16:13:00.932 PCTime: ISAKMP:(0): sending packet to <ROUTERA> my_port 500 peer_port 500 (R) MM_SA_SETUP
001309: *Aug 27 16:13:00.932 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001310: *Aug 27 16:13:10.432 PCTime: ISAKMP (0): received packet from <ROUTERA> dport 500 sport 500 Global (R) MM_SA_SETUP
001311: *Aug 27 16:13:10.432 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
001312: *Aug 27 16:13:10.432 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
001313: *Aug 27 16:13:10.932 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
001314: *Aug 27 16:13:10.932 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
001315: *Aug 27 16:13:10.932 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
001316: *Aug 27 16:13:10.932 PCTime: ISAKMP:(0): sending packet to <ROUTERA> my_port 500 peer_port 500 (R) MM_SA_SETUP
001317: *Aug 27 16:13:10.932 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001318: *Aug 27 16:13:20.428 PCTime: ISAKMP (0): received packet from <ROUTERA> dport 500 sport 500 Global (R) MM_SA_SETUP
001319: *Aug 27 16:13:20.428 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
001320: *Aug 27 16:13:20.428 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
001321: *Aug 27 16:13:20.928 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
001322: *Aug 27 16:13:20.928 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
001323: *Aug 27 16:13:20.928 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
001324: *Aug 27 16:13:20.928 PCTime: ISAKMP:(0): sending packet to <ROUTERA> my_port 500 peer_port 500 (R) MM_SA_SETUP
001325: *Aug 27 16:13:20.928 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001326: *Aug 27 16:13:30.928 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
001327: *Aug 27 16:13:30.928 PCTime: ISAKMP:(0):peer does not do paranoid keepalives.

001328: *Aug 27 16:13:30.928 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer <ROUTERA>)
001329: *Aug 27 16:13:30.928 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer <ROUTERA>)
001330: *Aug 27 16:13:30.928 PCTime: ISAKMP: Unlocking peer struct 0x866D005C for isadb_mark_sa_deleted(), count 0
001331: *Aug 27 16:13:30.928 PCTime: ISAKMP: Deleting peer node by peer_reap for <ROUTERA>: 866D005C
001332: *Aug 27 16:13:30.928 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001333: *Aug 27 16:13:30.928 PCTime: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_DEST_SA

001334: *Aug 27 16:13:30.928 PCTime: IPSEC(key_engine): got a queue event with 1 KMI message(s)
001335: *Aug 27 16:14:30.928 PCTime: ISAKMP:(0):purging SA., sa=8666D624, delme=8666D624
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
Ok so now that you have the access-list setup right on the outside interface what you need to do right after you attempt your connection is this:

show access-list 120 or whatever it is that you had on the outside interface.

You should see hit counts on both entries for isakmp and esp.  What I want to know is if you are only seeing hit counts on isakmp and no on esp.

So try to bring up the tunnel by pinging across it and then issue a show ip access-list 120 and post those results.
0
 

Author Comment

by:bluecc
Comment Utility
Looks like we're only seeing the UDP matches, not esp. Below are the before and after counts on both routers:

<ROUTERA>#show access-lists 120
Extended IP access list 120
    10 permit esp host <ROUTERB> any log
    20 permit udp host <ROUTERB> any eq isakmp log (13813 matches)
    30 permit ip any any (1600060 matches)
<ROUTERA>#ping
Protocol [ip]:
Target IP address: 192.168.4.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)
<ROUTERA>#show access-lists 120
Extended IP access list 120
    10 permit esp host <ROUTERB> any log
    20 permit udp host <ROUTERB> any eq isakmp log (13820 matches)
    30 permit ip any any (1600263 matches)
<ROUTERA>#



<ROUTERB># sh access-lists 120
Extended IP access list 120
    10 permit esp host <ROUTERA> any log
    20 permit udp host <ROUTERA> any eq isakmp log (12091 matches)
    30 permit ip any any (2076362 matches)
<ROUTERB># sh access-lists 120
Extended IP access list 120
    10 permit esp host <ROUTERA> any log
    20 permit udp host <ROUTERA> any eq isakmp log (12100 matches)
    30 permit ip any any (2076378 matches)
<ROUTERB>#
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
If you are not seeing ESP packets you need to talk to the ISPs involved and see if they can verify that they are seeing them.  I don't see anything wrong with your configs.
0
 

Author Comment

by:bluecc
Comment Utility
Ugh, wish I had better news. The ISP looked at the configs and said that they noticed something configured wrong which would cause it not to work. They won't say what but they'll gladly charge a huge fee to reconfigure it. Any other thoughts on what would cause the esp to not increment? Would the fact that I'm doing some port forwarding have anything to do with it?
0
 
LVL 24

Accepted Solution

by:
Ken Boone earned 500 total points
Comment Utility
Sure enough that is the problem.

On this line here:
ip nat inside source static udp 192.168.1.3 500 interface FastEthernet4 500

you are port forwarding UDP/500.  UDP/500 is what isakmp uses.  So you need to remove that port forward as that must be what is causing this problem.  I really didn't look at your port forwarding as I didn't figure you had used this port.

Remove that line and I get things come right up.

Your ISP is a bunch of jerks for not helping you out on this when they saw it!
0
 

Author Comment

by:bluecc
Comment Utility
Sure enough, that fixed it! Don't know why it was there in the first place. Thanks for sticking through it with me!
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
I think I would call your account exec at your ISP or have your manager call them and complain about how they treated you.  Your config has been good for like a week now, and it was one little line that they refused to tell you without getting paid.  That is bad business in my world!
0
 

Author Comment

by:bluecc
Comment Utility
I agree with you on that. I understand having to make money but when you're an ISP, you think you'd want your customer up and happy especially since the customer has 2 circuits with them that we're trying to connect. I just replied to their nasty quote saying, "thanks for not pointing out the one small line. Working with someone else we resolved it."
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now