?
Solved

Site-to-Site VPN Doesn't come up.  c2801 --> RVS4000

Posted on 2011-10-08
11
Medium Priority
?
1,842 Views
Last Modified: 2012-05-12
Experts,

I'm not a security guy at all, so please bear with me.

In the code block below, I pasted a debug of ISAKMP on my 2801 router.

What is the output trying to tell me on why the connection can't come up?

------------

Here's the current relative config on the IOS:


crypto isakmp policy 1
 encr aes
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 208
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key XXXX addressYYY.YYY.YYY.YYY no-xauth
crypto isakmp key XXXX address XXX.XXX.XXX.XXX no-xauth
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ESP-AES_ESP-SHA-HMAC esp-aes esp-sha-hmac
 mode transport
crypto ipsec transform-set ESP-3DES_ESP-MD5-HMAC esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile XXXX_XXXX
 set transform-set ESP-AES_ESP-SHA-HMAC
!
crypto ipsec profile XXXX_XXXX
 set transform-set ESP-3DES_ESP-MD5-HMAC
!
!
crypto map NET_10_0_208_0 208 ipsec-isakmp
 set peer XXX.XXX.XXX.XXX
 set security-association idle-time 60
 set transform-set ESP-3DES_ESP-MD5-HMAC
 match address NET_10_0_208_0
!
!
interface FastEthernet0/1
 no ip address
 ip virtual-reassembly
 speed 100
 full-duplex
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer1
 description XXXX
 crypto map NET_10_0_208_0
!
ip nat inside source list XXXX_NAT interface Dialer1 overload

ip access-list standard Internal
 permit 10.0.0.0 0.0.255.255
 permit 172.16.0.0 0.0.255.255
 deny   any log
!
ip access-list extended NET_10_0_208_0
 permit ip 10.0.0.0 0.0.16.255 10.0.208.0 0.0.0.255
ip access-list extended XXXX_NAT
 deny   ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 deny   ip 10.0.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 permit ip 10.0.0.0 0.0.255.255 any
 permit ip 172.16.0.0 0.0.255.255 any
ip access-list extended XXXX_VPNTraffic
 permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 permit icmp 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 permit gre any host XXX.XXX.XXX.XXX
 permit gre any host YYY.YYY.YYY.YYY

Oct  8 15:03:00.967: %FIB-4-FIBCBLK: Missing cef table for tableid 65535 during CEF samecable event

Oct  8 15:03:05.975: %FIB-4-FIBCBLK: Missing cef table for tableid 65535 during CEF samecable event

Oct  8 15:03:11.550: %FIB-4-FIBCBLK: Missing cef table for tableid 65535 during CEF samecable event

Oct  8 15:03:39.396: ISAKMP (0:0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (N) NEW SA
Oct  8 15:03:39.396: ISAKMP: Created a peer struct for XXX.XXX.XXX.XXX, peer port 500
Oct  8 15:03:39.396: ISAKMP: New peer created peer = 0x64DBCB28 peer_handle = 0x80000159
Oct  8 15:03:39.396: ISAKMP: Locking peer struct 0x64DBCB28, IKE refcount 1 for crypto_isakmp_process_block
Oct  8 15:03:39.396: ISAKMP: local port 500, remote port 500
Oct  8 15:03:39.396: insert sa successfully sa = 64F5052C
Oct  8 15:03:39.396: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct  8 15:03:39.396: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_R_MM1

Oct  8 15:03:39.396: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Oct  8 15:03:39.396: ISAKMP:(0:0:N/A:0): processing vendor id payload
Oct  8 15:03:39.396: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 0 mismatch
Oct  8 15:03:39.396: ISAKMP:(0:0:N/A:0): processing vendor id payload
Oct  8 15:03:39.400: ISAKMP:(0:0:N/A:0): vendor ID is DPD
Oct  8 15:03:39.400: ISAKMP:(0:0:N/A:0): processing vendor id payload
Oct  8 15:03:39.400: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
Oct  8 15:03:39.400: ISAKMP:(0:0:N/A:0): processing vendor id payload
Oct  8 15:03:39.400: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
Oct  8 15:03:39.400: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
Oct  8 15:03:39.400: ISAKMP:(0:0:N/A:0): processing vendor id payload
Oct  8 15:03:39.400: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 164 mismatch
Oct  8 15:03:39.400: ISAKMP:(0:0:N/A:0): processing vendor id payload
Oct  8 15:03:39.400: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 221 mismatch
Oct  8 15:03:39.400: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching XXX.XXX.XXX.XXX
Oct  8 15:03:39.400: ISAKMP:(0:0:N/A:0): local preshared key found
Oct  8 15:03:39.400: ISAKMP : Scanning profiles for xauth ...
Oct  8 15:03:39.400: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 0 against priority 1 policy
Oct  8 15:03:39.400: ISAKMP:      life type in seconds
Oct  8 15:03:39.400: ISAKMP:      life duration (basic) of 28800
Oct  8 15:03:39.400: ISAKMP:      encryption 3DES-CBC
Oct  8 15:03:39.400: ISAKMP:      hash MD5
Oct  8 15:03:39.400: ISAKMP:      auth pre-share
Oct  8 15:03:39.400: ISAKMP:      default group 2
Oct  8 15:03:39.400: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
Oct  8 15:03:39.400: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
Oct  8 15:03:39.400: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 0 against priority 208 policy
Oct  8 15:03:39.400: ISAKMP:      life type in seconds
Oct  8 15:03:39.400: ISAKMP:      life duration (basic) of 28800
Oct  8 15:03:39.400: ISAKMP:      encryption 3DES-CBC
Oct  8 15:03:39.400: ISAKMP:      hash MD5
Oct  8 15:03:39.400: ISAKMP:      auth pre-share
Oct  8 15:03:39.400: ISAKMP:      default group 2
Oct  8 15:03:39.400: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
Oct  8 15:03:39.456: ISAKMP:(0:2:SW:1): processing vendor id payload
Oct  8 15:03:39.456: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 0 mismatch
Oct  8 15:03:39.456: ISAKMP:(0:2:SW:1): processing vendor id payload
Oct  8 15:03:39.456: ISAKMP:(0:2:SW:1): vendor ID is DPD
Oct  8 15:03:39.456: ISAKMP:(0:2:SW:1): processing vendor id payload
Oct  8 15:03:39.456: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 69 mismatch
Oct  8 15:03:39.456: ISAKMP:(0:2:SW:1): processing vendor id payload
Oct  8 15:03:39.456: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
Oct  8 15:03:39.456: ISAKMP:(0:2:SW:1): vendor ID is NAT-T v3
Oct  8 15:03:39.456: ISAKMP:(0:2:SW:1): processing vendor id payload
Oct  8 15:03:39.456: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 164 mismatch
Oct  8 15:03:39.456: ISAKMP:(0:2:SW:1): processing vendor id payload
Oct  8 15:03:39.456: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 221 mismatch
Oct  8 15:03:39.456: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct  8 15:03:39.456: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM1

Oct  8 15:03:39.460: ISAKMP:(0:2:SW:1): constructed NAT-T vendor-03 ID
Oct  8 15:03:39.460: ISAKMP:(0:2:SW:1): sending packet to XXX.XXX.XXX.XXX my_port 500 peer_port 500 (R) MM_SA_SETUP
Oct  8 15:03:39.460: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct  8 15:03:39.460: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM2

Oct  8 15:03:39.732: ISAKMP (0:134217730): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) MM_SA_SETUP
Oct  8 15:03:39.732: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct  8 15:03:39.732: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM2  New State = IKE_R_MM3

Oct  8 15:03:39.736: ISAKMP:(0:2:SW:1): processing KE payload. message ID = 0
Oct  8 15:03:39.800: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = 0
Oct  8 15:03:39.800: ISAKMP:(0:2:SW:1):found peer pre-shared key matching XXX.XXX.XXX.XXX
Oct  8 15:03:39.804: ISAKMP:(0:2:SW:1):SKEYID state generated
Oct  8 15:03:39.804: ISAKMP:received payload type 20
Oct  8 15:03:39.804: ISAKMP:received payload type 20
Oct  8 15:03:39.804: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct  8 15:03:39.804: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM3

Oct  8 15:03:39.804: ISAKMP:(0:2:SW:1): sending packet to XXX.XXX.XXX.XXX my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct  8 15:03:39.804: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct  8 15:03:39.804: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM4

Oct  8 15:03:40.044: ISAKMP (0:134217730): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) MM_KEY_EXCH
Oct  8 15:03:40.044: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct  8 15:03:40.044: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM4  New State = IKE_R_MM5

Oct  8 15:03:40.048: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 0
Oct  8 15:03:40.048: ISAKMP (0:134217730): ID payload
        next-payload : 8
        type         : 1
        address      : XXX.XXX.XXX.XXX
        protocol     : 0
        port         : 0
        length       : 12
Oct  8 15:03:40.048: ISAKMP:(0:2:SW:1):: peer matches *none* of the profiles
Oct  8 15:03:40.048: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 0
Oct  8 15:03:40.048: ISAKMP:(0:2:SW:1):SA authentication status:
        authenticated
Oct  8 15:03:40.048: ISAKMP:(0:2:SW:1):SA has been authenticated with XXX.XXX.XXX.XXX
Oct  8 15:03:40.048: ISAKMP: Trying to insert a peer ZZZ.ZZZ.ZZZ.ZZZ/XXX.XXX.XXX.XXX/500/,  and inserted successfully 64DBCB28.
Oct  8 15:03:40.048: ISAKMP:(0:2:SW:1):IKE_DPD is enabled, initializing timers
Oct  8 15:03:40.048: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct  8 15:03:40.048: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM5

Oct  8 15:03:40.048: ISAKMP:(0:2:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct  8 15:03:40.048: ISAKMP (0:134217730): ID payload
        next-payload : 8
        type         : 1
        address      : ZZZ.ZZZ.ZZZ.ZZZ
        protocol     : 17
        port         : 500
        length       : 12
Oct  8 15:03:40.048: ISAKMP:(0:2:SW:1):Total payload length: 12
Oct  8 15:03:40.052: ISAKMP:(0:2:SW:1): sending packet to XXX.XXX.XXX.XXX my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct  8 15:03:40.052: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct  8 15:03:40.052: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

Oct  8 15:03:40.052: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct  8 15:03:40.052: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Oct  8 15:03:40.252: ISAKMP (0:134217730): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) QM_IDLE
Oct  8 15:03:40.252: ISAKMP: set new node -1436034293 to QM_IDLE
Oct  8 15:03:40.256: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = -1436034293
Oct  8 15:03:40.256: ISAKMP:(0:2:SW:1): processing SA payload. message ID = -1436034293
Oct  8 15:03:40.256: ISAKMP:(0:2:SW:1):Checking IPSec proposal 0
Oct  8 15:03:40.256: ISAKMP: transform 0, ESP_3DES
Oct  8 15:03:40.256: ISAKMP:   attributes in transform:
Oct  8 15:03:40.256: ISAKMP:      encaps is 1 (Tunnel)
Oct  8 15:03:40.256: ISAKMP:      SA life type in seconds
Oct  8 15:03:40.256: ISAKMP:      SA life duration (basic) of 3600
Oct  8 15:03:40.256: ISAKMP:      authenticator is HMAC-MD5
Oct  8 15:03:40.256: ISAKMP:(0:2:SW:1):atts are acceptable.
Oct  8 15:03:40.256: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
Oct  8 15:03:40.256: ISAKMP:(0:2:SW:1): phase 2 SA policy not acceptable! (local ZZZ.ZZZ.ZZZ.ZZZ remote XXX.XXX.XXX.XXX)
Oct  8 15:03:40.256: ISAKMP: set new node 1111979763 to QM_IDLE
Oct  8 15:03:40.256: ISAKMP:(0:2:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 1688783832, message ID = 1111979763
Oct  8 15:03:40.256: ISAKMP:(0:2:SW:1): sending packet to XXX.XXX.XXX.XXX my_port 500 peer_port 500 (R) QM_IDLE
Oct  8 15:03:40.260: ISAKMP:(0:2:SW:1):purging node 1111979763
Oct  8 15:03:40.260: ISAKMP:(0:2:SW:1):deleting node -1436034293 error TRUE reason "QM rejected"
Oct  8 15:03:40.260: ISAKMP (0:134217730): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:  for node -1436034293: state = IKE_QM_READY
Oct  8 15:03:40.260: ISAKMP:(0:2:SW:1):Node -1436034293, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Oct  8 15:03:40.260: ISAKMP:(0:2:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_READY
Oct  8 15:03:40.260: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at XXX.XXX.XXX.XXX
Oct  8 15:03:40.260: ISAKMP (0:134217730): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) QM_IDLE
Oct  8 15:03:40.264: ISAKMP: set new node -2015231489 to QM_IDLE
Oct  8 15:03:40.264: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = -2015231489
Oct  8 15:03:40.264: ISAKMP:(0:2:SW:1): processing SA payload. message ID = -2015231489
Oct  8 15:03:40.264: ISAKMP:(0:2:SW:1):Checking IPSec proposal 0
Oct  8 15:03:40.264: ISAKMP: transform 0, ESP_3DES
Oct  8 15:03:40.264: ISAKMP:   attributes in transform:
Oct  8 15:03:40.264: ISAKMP:      encaps is 1 (Tunnel)
Oct  8 15:03:40.264: ISAKMP:      SA life type in seconds
Oct  8 15:03:40.264: ISAKMP:      SA life duration (basic) of 3600
Oct  8 15:03:40.264: ISAKMP:      authenticator is HMAC-MD5
Oct  8 15:03:40.264: ISAKMP:(0:2:SW:1):atts are acceptable.
Oct  8 15:03:40.264: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
Oct  8 15:03:40.264: ISAKMP:(0:2:SW:1): phase 2 SA policy not acceptable! (local ZZZ.ZZZ.ZZZ.ZZZ remote XXX.XXX.XXX.XXX)
Oct  8 15:03:40.264: ISAKMP: set new node -85895595 to QM_IDLE
Oct  8 15:03:40.264: ISAKMP:(0:2:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 1688783832, message ID = -85895595

Oct  8 15:03:40.268: ISAKMP:(0:2:SW:1): sending packet to XXX.XXX.XXX.XXX my_port 500 peer_port 500 (R) QM_IDLE
Oct  8 15:03:40.268: ISAKMP:(0:2:SW:1):purging node -85895595
Oct  8 15:03:40.268: ISAKMP:(0:2:SW:1):deleting node -2015231489 error TRUE reason "QM rejected"
Oct  8 15:03:40.268: ISAKMP (0:134217730): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:  for node -2015231489: state = IKE_QM_READY
Oct  8 15:03:40.268: ISAKMP:(0:2:SW:1):Node -2015231489, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Oct  8 15:03:40.268: ISAKMP:(0:2:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_READY

Oct  8 15:03:50.075: ISAKMP (0:134217730): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) QM_IDLE
Oct  8 15:03:50.079: ISAKMP:(0:2:SW:1): phase 2 packet is a duplicate of a previous packet.
Oct  8 15:03:50.079: ISAKMP:(0:2:SW:1): retransmitting due to retransmit phase 2
Oct  8 15:03:50.079: ISAKMP:(0:2:SW:1): ignoring retransmission,because phase2 node marked dead -2015231489
Oct  8 15:03:50.083: ISAKMP (0:134217730): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) QM_IDLE
Oct  8 15:03:50.083: ISAKMP:(0:2:SW:1): phase 2 packet is a duplicate of a previous packet.

Oct  8 15:03:50.083: ISAKMP:(0:2:SW:1): retransmitting due to retransmit phase 2
Oct  8 15:03:50.083: ISAKMP:(0:2:SW:1): ignoring retransmission,because phase2 node marked dead -1436034293

Oct  8 15:04:04.869: %FIB-4-FIBCBLK: Missing cef table for tableid 65535 during CEF samecable event

Oct  8 15:04:10.369: ISAKMP (0:134217730): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) QM_IDLE
Oct  8 15:04:10.369: ISAKMP:(0:2:SW:1): phase 2 packet is a duplicate of a previous packet.
Oct  8 15:04:10.369: ISAKMP:(0:2:SW:1): retransmitting due to retransmit phase 2
Oct  8 15:04:10.369: ISAKMP:(0:2:SW:1): ignoring retransmission,because phase2 node marked dead -1436034293
Oct  8 15:04:10.373: ISAKMP (0:134217730): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) QM_IDLE
Oct  8 15:04:10.373: ISAKMP:(0:2:SW:1): phase 2 packet is a duplicate of a previous packet.

Oct  8 15:04:10.373: ISAKMP:(0:2:SW:1): retransmitting due to retransmit phase 2
Oct  8 15:04:10.373: ISAKMP:(0:2:SW:1): ignoring retransmission,because phase2 node marked dead -2015231489

Open in new window

0
Comment
Question by:usslindstrom
  • 6
  • 3
  • 2
11 Comments
 
LVL 4

Accepted Solution

by:
dcj21 earned 1000 total points
ID: 36936278

Give these two messages:
:Encryption algorithm offered does not match policy!
 phase 2 SA policy not acceptable!

I would compare the IPSec config on the other device. Looks like the  pre-shared key is good, but the phase 2 protocols don't match

Hash Algorithm Offered does not Match Policy

If the configured ISAKMP policies do not match the proposed policy by the remote peer, the router tries the default policy of 65535. If that does not match either, it fails ISAKMP negotiation. A user receives either the Hash algorithm offered does not match policy! or Encryption algorithm offered does not match policy! error message on the routers.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#hash

Do you have the config on the other side?


0
 
LVL 10

Assisted Solution

by:SuperTaco
SuperTaco earned 1000 total points
ID: 36936510
I would agree here.  Cal ll the other side and make sure the KE proposals match
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36937382
Certainly...

Here is the configuration from the little router (RVS4000):

Local Group Setup:
    Local Security Gateway Type:  IP Only
    IP Address:  XXX.XXX.XXX.XXX
    Local Security Group Type:  Subnet
    IP Address:  10.0.208.0
    Subnet Mask:  255.255.255.0

Remote Group Setup:
    Remote Security Gateway Type:  IP Only
    IP by DNS Resolved:  XXXX.com
    Remote Security Group Type:  Subnet
    IP Address:  10.0.0.0
    Subnet Mask:  255.255.240.0

IPSec Setup:
    Keying Mode:  IKE with Preshared Key

Phase 1:
    Encryption:  3DES
    Authentication:  MD5
    Group:  1024-bit
    Key Lifetime:  28800 sec

Phase 2:
    Encryption:  3DES
    Authentication:  MD5
    Perfect Forward Secrecy:  Disable
    Preshared key:  XXXX
    Group:  1024-bit
    Key Lifetime:  3600 sec

Status:
    Down
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
LVL 4

Assisted Solution

by:dcj21
dcj21 earned 1000 total points
ID: 36937687
Looks ok - but is the IP addresses in the config on the router match the outside interface of the RVS4000?

Your masking is blocking some clues.

0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36937714
Sorry for the masking - just didn't want to blast that all over the net...

But in both configs, the IP address matches:


The 2801:

crypto isakmp key XXXX address XXX.XXX.XXX.XXX no-xauth

crypto map NET_10_0_208_0 208 ipsec-isakmp
 set peer XXX.XXX.XXX.XXX






The remote location RVS4000:

Local Security Gateway Type:  IP Only
IP Address:  XXX.XXX.XXX.XXX





I just had to double-check, but they all are the same.
0
 
LVL 10

Assisted Solution

by:SuperTaco
SuperTaco earned 1000 total points
ID: 36937724
On the little router, the encryption is 3DES in your proposals.  ON the big one you're using AES for your encryption proposal.  those need to match (that is if i'm looking at the right policy, because i see 2 defined on the big router.  on the small router, i also don't see a DH  group defined like i do on the big one.
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36937780
Hold on...  Go slow.  R&S guy here...

:)

Alright...  On the big router, there are 2 policies.  Policy 1 and Policy 208.

In policy 208 I'm defining 3DES / MD5.

Policy 1 is actually for a GRE tunnel that's using encryption.  (That tunnel is fine).




You lost me on the Diffie-Helman group comment.  I was under the impression that "Group 2" on the big router was 1024-bit (equal to the small router's setting of 1024-bit).

Again, please be patient with me.  Security stuff is pretty rough for me - But thank you very much for assisting.
0
 
LVL 10

Expert Comment

by:SuperTaco
ID: 36938525
sorry, i get a little carried away sometimes.  don't worry about the Diffie Hellman thing, after your explanation of the small router, that should be good too.  what do the transform sets look like?
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36938710
No worries, you're helping me - and I thank you for everything.

Here are the transform sets on the 2801.

crypto ipsec transform-set ESP-AES_ESP-SHA-HMAC esp-aes esp-sha-hmac
 mode transport
crypto ipsec transform-set ESP-3DES_ESP-MD5-HMAC esp-3des esp-md5-hmac
 mode tunnel




On the 2nd transform set, I've used both "mode transport" and "mode tunnel" to see if it makes any difference.  Turns out, not a darn thing.  :(



0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36940853
HOLY CRAP!  - I found the problem!

This stupid tunnel was going to be the death of me, until I figured it out.

Turns out my Access list is where the problem was.  I had:

ip access-list extended NET_10_0_208_0
 permit ip 10.0.0.0 0.0.16.255 10.0.208.0 0.0.0.255

If you look into it closely, you can see that the wildcard mask is messed up beyond belief.  Can't believe I missed that.

I changed it to the correct mask in my situation, and the tunnel came up immediately!

ip access-list extended NET_10_0_208_0
 permit ip 10.0.0.0 0.0.15.255 10.0.208.0 0.0.0.255




It sure would be nice if that's what the logs told you, but holy crap.  You security guys have to deal with garbage to work through what you do.  You have my respect.

Much appreciated on the assistance guys!
0
 
LVL 5

Author Closing Comment

by:usslindstrom
ID: 36940858
Subnet mask wildcard issues
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

616 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question