Solved: IPv6 Site-to-site : Version 15.2(4)M4

grio44001 · ‎02-05-2014

Hi,

I'm trying to set up an IPv6 tunnel. I use IOS Version 15.2 (4) M4 on a Cisco 881 router. I set up 3 different IPv6 networks :

Here is the configuration of my router R1 :

ipv6 unicast-routing

crypto keyring keyring1

pre-shared-key address ipv6 2001:DB8:10::1/128 key cisco

crypto isakmp policy 10

encr 3des

encr aes

hash md5

authentication pre-share

group 5

lifetime 3600

crypto isakmp key cisco address ipv6 2001:DB8:10::1/128

crypto ipsec transform-set 3des ah-sha-hmac esp-3des

crypto ipsec transform-set algoclient esp-aes esp-md5-hmac

mode tunnel

crypto ipsec profile profile0

set transform-set 3des

set transform-set algoclient

interface Tunnel12

no ip address

ipv6 address 2001:DB8:12::2/64

tunnel source FastEthernet4

tunnel mode ipsec ipv6

tunnel destination 2001:DB8:10::1

tunnel protection ipsec profile profile0

interface FastEthernet4

no ip address

duplex auto

speed auto

ipv6 address 2001:DB8:10::2/64

ipv6 enable

interface Vlan1

no ip address

ipv6 address 2001:DB8:22::2/64

ipv6 enable

ipv6 access-list TEST

permit udp any any

ipv6 route ::/0 Tunnel12

Here is the configuration of my router R2 :

ipv6 unicast-routing

crypto keyring keyring1

pre-shared-key address ipv6 2001:DB8:10::2/128 key cisco

crypto isakmp policy 10

encr 3des

encr aes

hash md5

authentication pre-share

group 5

lifetime 3600

crypto isakmp key cisco address ipv6 2001:DB8:10::2/128

crypto ipsec transform-set 3des ah-sha-hmac esp-3des

crypto ipsec transform-set algoclient esp-aes esp-md5-hmac

mode tunnel

crypto ipsec profile profile0

set transform-set 3des

set transform-set algoclient

interface Tunnel12

no ip address

ipv6 address 2001:DB8:12::1/64

tunnel source FastEthernet4

tunnel mode ipsec ipv6

tunnel destination 2001:DB8:10::2

tunnel protection ipsec profile profile0

interface FastEthernet4

no ip address

duplex auto

speed auto

ipv6 address 2001:DB8:10::1/64

ipv6 enable

interface Vlan1

no ip address

ipv6 address 2001:DB8:11::1/64

ipv6 enable

ipv6 route ::/0 Tunnel12

The problem is that the two tunnel interfaces tells me: "Tunnel 12 is up, line protocol is down" and the status of the connection crypto is "MM_NO_STATE". Do you have a sugestion to propose me?

Thank you in advance

PS: Sorry for my English

Marcin Latosiewicz · ‎02-06-2014

Are the tunnel endpoints reachable from both sides? MM_NO_STATE - typically when trying to establish a tunnel but not receving reply from other side.

Also ... mixing AH and ESP ... poor idea for 96% of deployments. (although I don't think it's plating a role here).

Check reachability, check isakmp + ipsec debugs on both sides , move from there.

View solution in original post

Marcin Latosiewicz · ‎02-06-2014

Are the tunnel endpoints reachable from both sides? MM_NO_STATE - typically when trying to establish a tunnel but not receving reply from other side.

Also ... mixing AH and ESP ... poor idea for 96% of deployments. (although I don't think it's plating a role here).

Check reachability, check isakmp + ipsec debugs on both sides , move from there.

grio44001 · ‎02-06-2014

Thank you for your reply.

I made changes to the transform-set and I put the debug mode for ISKMP and IPSEC and I find the same mistakes. I want to declare that I can not pinged virtual interfaces and when analyzing the frames between router R1 and router R2 with Wireshark, there was no exchange on 2001:db8:10::/64.

The result of the debug mode router R2 :

R2#sh cry isa sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

IPv6 Crypto ISAKMP SA

dst: 2001:DB8:10::2

src: 2001:DB8:10::1

state: MM_NO_STATE conn-id: 0 status: ACTIVE

R2#

*Feb 6 13:04:56.099: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 2001:DB8:10::1:0, remote= 2001:DB8:10::2:0,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0

*Feb 6 13:04:56.099: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:04:56.099: ISAKMP:(0):peer does not do paranoid keepalives.

*Feb 6 13:04:56.099: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 2001:DB8:10::2)

*Feb 6 13:04:56.099: ISAKMP: Unlocking peer struct 0x8861203C for isadb_mark_sa_deleted(), count 0

*Feb 6 13:04:56.099: ISAKMP: Deleting peer node by peer_reap for 2001:DB8:10::2: 8861203C

*Feb 6 13:04:56.099: ISAKMP:(0):deleting node -1721415450 error FALSE reason "IKE deleted"

*Feb 6 13:04:56.099: ISAKMP:(0):deleting node -393218512 error FALSE reason "IKE deleted"

*Feb 6 13:04:56.099: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Feb 6 13:04:56.099: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

*Feb 6 13:04:56.103: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Feb 6 13:05:46.099: ISAKMP:(0):purging node -1721415450

*Feb 6 13:05:46.099: ISAKMP:(0):purging node -393218512

*Feb 6 13:05:56.099: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 2001:DB8:10::1:500, remote= 2001:DB8:10::2:500,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0,

protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Feb 6 13:05:56.099: ISAKMP:(0): SA request profile is (NULL)

*Feb 6 13:05:56.099: ISAKMP: Created a peer struct for 2001:DB8:10::2, peer port 500

*Feb 6 13:05:56.099: ISAKMP: New peer created peer = 0x8861203C peer_handle = 0x80000013

*Feb 6 13:05:56.099: ISAKMP: Locking peer struct 0x8861203C, refcount 1 for isakmp_initiator

*Feb 6 13:05:56.099: ISAKMP: local port 500, remote port 500

*Feb 6 13:05:56.099: ISAKMP: set new node 0 to QM_IDLE

*Feb 6 13:05:56.099: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 85E80820

*Feb 6 13:05:56.099: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Feb 6 13:05:56.099: ISAKMP:(0):found peer pre-shared key matching 2001:DB8:10::2

*Feb 6 13:05:56.099: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Feb 6 13:05:56.099: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Feb 6 13:05:56.099: ISAKMP:(0): beginning Main Mode exchange

*Feb 6 13:05:56.099: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:05:56.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:05:56.103: ISAKMP:(0):purging SA., sa=8861D194, delme=8861D194

*Feb 6 13:06:06.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:06:06.103: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Feb 6 13:06:06.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 13:06:06.103: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:06:06.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:06:16.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:06:16.103: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Feb 6 13:06:16.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 13:06:16.103: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:06:16.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:06:26.099: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 2001:DB8:10::1:0, remote= 2001:DB8:10::2:0,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0

*Feb 6 13:06:26.099: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 2001:DB8:10::1:500, remote= 2001:DB8:10::2:500,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0,

protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Feb 6 13:06:26.099: ISAKMP: set new node 0 to QM_IDLE

*Feb 6 13:06:26.099: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 2001:DB8:10::1, remote 2001:DB8:10::2)

*Feb 6 13:06:26.099: ISAKMP: Error while processing SA request: Failed to initialize SA

*Feb 6 13:06:26.099: ISAKMP: Error while processing KMI message 0, error 2.

*Feb 6 13:06:26.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:06:26.103: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Feb 6 13:06:26.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 13:06:26.103: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:06:26.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:06:36.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:06:36.103: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Feb 6 13:06:36.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 13:06:36.103: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:06:36.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:06:46.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:06:46.103: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Feb 6 13:06:46.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 13:06:46.103: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:06:46.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:06:56.099: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 2001:DB8:10::1:0, remote= 2001:DB8:10::2:0,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0

*Feb 6 13:06:56.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:06:56.103: ISAKMP:(0):peer does not do paranoid keepalives.

*Feb 6 13:06:56.103: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 2001:DB8:10::2)

*Feb 6 13:06:56.103: ISAKMP: Unlocking peer struct 0x8861203C for isadb_mark_sa_deleted(), count 0

*Feb 6 13:06:56.103: ISAKMP: Deleting peer node by peer_reap for 2001:DB8:10::2: 8861203C

*Feb 6 13:06:56.103: ISAKMP:(0):deleting node 965611803 error FALSE reason "IKE deleted"

*Feb 6 13:06:56.103: ISAKMP:(0):deleting node -350562825 error FALSE reason "IKE deleted"

*Feb 6 13:06:56.103: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Feb 6 13:06:56.103: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

*Feb 6 13:06:56.103: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Feb 6 13:07:46.103: ISAKMP:(0):purging node 965611803

*Feb 6 13:07:46.103: ISAKMP:(0):purging node -350562825

*Feb 6 13:07:56.099: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 2001:DB8:10::1:500, remote= 2001:DB8:10::2:500,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0,

protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Feb 6 13:07:56.099: ISAKMP:(0): SA request profile is (NULL)

*Feb 6 13:07:56.099: ISAKMP: Created a peer struct for 2001:DB8:10::2, peer port 500

*Feb 6 13:07:56.099: ISAKMP: New peer created peer = 0x8861203C peer_handle = 0x80000014

*Feb 6 13:07:56.099: ISAKMP: Locking peer struct 0x8861203C, refcount 1 for isakmp_initiator

*Feb 6 13:07:56.099: ISAKMP: local port 500, remote port 500

*Feb 6 13:07:56.099: ISAKMP: set new node 0 to QM_IDLE

*Feb 6 13:07:56.099: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 85E829D0

*Feb 6 13:07:56.099: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Feb 6 13:07:56.099: ISAKMP:(0):found peer pre-shared key matching 2001:DB8:10::2

*Feb 6 13:07:56.099: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Feb 6 13:07:56.099: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Feb 6 13:07:56.099: ISAKMP:(0): beginning Main Mode exchange

*Feb 6 13:07:56.099: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:07:56.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:07:56.103: ISAKMP:(0):purging SA., sa=85E80820, delme=85E80820

*Feb 6 13:08:06.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:08:06.103: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Feb 6 13:08:06.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 13:08:06.103: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:08:06.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:08:16.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:08:16.103: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Feb 6 13:08:16.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 13:08:16.103: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:08:16.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:08:26.099: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 2001:DB8:10::1:0, remote= 2001:DB8:10::2:0,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0

*Feb 6 13:08:26.099: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 2001:DB8:10::1:500, remote= 2001:DB8:10::2:500,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0,

protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Feb 6 13:08:26.099: ISAKMP: set new node 0 to QM_IDLE

*Feb 6 13:08:26.099: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 2001:DB8:10::1, remote 2001:DB8:10::2)

*Feb 6 13:08:26.099: ISAKMP: Error while processing SA request: Failed to initialize SA

*Feb 6 13:08:26.099: ISAKMP: Error while processing KMI message 0, error 2.

*Feb 6 13:08:26.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:08:26.103: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Feb 6 13:08:26.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 13:08:26.103: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:08:26.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:08:36.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:08:36.103: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Feb 6 13:08:36.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 13:08:36.103: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:08:36.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:08:46.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:08:46.103: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Feb 6 13:08:46.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 13:08:46.103: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:08:46.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:08:56.099: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 2001:DB8:10::1:0, remote= 2001:DB8:10::2:0,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0

*Feb 6 13:08:56.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:08:56.103: ISAKMP:(0):peer does not do paranoid keepalives.

*Feb 6 13:08:56.103: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 2001:DB8:10::2)

*Feb 6 13:08:56.103: ISAKMP: Unlocking peer struct 0x8861203C for isadb_mark_sa_deleted(), count 0

*Feb 6 13:08:56.103: ISAKMP: Deleting peer node by peer_reap for 2001:DB8:10::2: 8861203C

*Feb 6 13:08:56.103: ISAKMP:(0):deleting node 396748780 error FALSE reason "IKE deleted"

*Feb 6 13:08:56.103: ISAKMP:(0):deleting node 311989050 error FALSE reason "IKE deleted"

*Feb 6 13:08:56.103: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Feb 6 13:08:56.103: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

*Feb 6 13:08:56.103: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Feb 6 13:09:46.103: ISAKMP:(0):purging node 396748780

*Feb 6 13:09:46.103: ISAKMP:(0):purging node 311989050

*Feb 6 13:09:56.099: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 2001:DB8:10::1:500, remote= 2001:DB8:10::2:500,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0,

protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Feb 6 13:09:56.099: ISAKMP:(0): SA request profile is (NULL)

*Feb 6 13:09:56.099: ISAKMP: Created a peer struct for 2001:DB8:10::2, peer port 500

*Feb 6 13:09:56.099: ISAKMP: New peer created peer = 0x8861203C peer_handle = 0x80000015

*Feb 6 13:09:56.099: ISAKMP: Locking peer struct 0x8861203C, refcount 1 for isakmp_initiator

*Feb 6 13:09:56.099: ISAKMP: local port 500, remote port 500

*Feb 6 13:09:56.099: ISAKMP: set new node 0 to QM_IDLE

*Feb 6 13:09:56.099: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 85E84744

*Feb 6 13:09:56.099: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Feb 6 13:09:56.099: ISAKMP:(0):found peer pre-shared key matching 2001:DB8:10::2

*Feb 6 13:09:56.099: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Feb 6 13:09:56.099: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Feb 6 13:09:56.099: ISAKMP:(0): beginning Main Mode exchange

*Feb 6 13:09:56.103: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:09:56.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:09:56.103: ISAKMP:(0):purging SA., sa=85E829D0, delme=85E829D0

*Feb 6 13:10:06.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:10:06.103: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Feb 6 13:10:06.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 13:10:06.103: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:10:06.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:10:16.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:10:16.103: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Feb 6 13:10:16.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 13:10:16.103: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:10:16.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:10:26.099: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 2001:DB8:10::1:0, remote= 2001:DB8:10::2:0,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0

*Feb 6 13:10:26.099: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 2001:DB8:10::1:500, remote= 2001:DB8:10::2:500,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0,

protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Feb 6 13:10:26.099: ISAKMP: set new node 0 to QM_IDLE

*Feb 6 13:10:26.099: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 2001:DB8:10::1, remote 2001:DB8:10::2)

*Feb 6 13:10:26.099: ISAKMP: Error while processing SA request: Failed to initialize SA

*Feb 6 13:10:26.099: ISAKMP: Error while processing KMI message 0, error 2.

*Feb 6 13:10:26.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:10:26.103: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Feb 6 13:10:26.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 13:10:26.103: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:10:26.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:10:36.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:10:36.103: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Feb 6 13:10:36.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 13:10:36.103: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:10:36.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:10:46.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:10:46.103: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Feb 6 13:10:46.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 13:10:46.103: ISAKMP:(0): sending packet to 2001:DB8:10::2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 13:10:46.103: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 13:10:56.099: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 2001:DB8:10::1:0, remote= 2001:DB8:10::2:0,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0

*Feb 6 13:10:56.103: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 13:10:56.103: ISAKMP:(0):peer does not do paranoid keepalives.

Marcin Latosiewicz · ‎02-06-2014

What the debugs show is that we're sending IKE packets but never recive anything back. (You follow this by retransmitting 4 times).

Provided there is nothing blocking traffic between

2001:DB8:10::2 and 2001:DB8:10::1 you should be able to reach those.

You can also check

"show ipv6 nei fa4"

and

"show ipv6 int fa4"

M.

grio44001 · ‎02-06-2014

Here is what I get with the command "show ipv6 int brief" :

R2#sh ipv int br

FastEthernet4 [up/up]

FE80::7E69:F6FF:FEDD:B594

2001:DB8:10::1

Tunnel12 [up/down]

FE80::7E69:F6FF:FEDD:B590

2001:DB8:12::1

Vlan1 [up/up]

FE80::7E69:F6FF:FEDD:B590

2001:DB8:11::1

Here is what I get with the command "ping 2001:db8:10::2" :

R2#ping 2001:DB8:10::2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:10::2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Here is what I get with the command "show ipv6 nei F4" :

R2#no debug all

All possible debugging has been turned off

R2#show ipv6 nei fa4

IPv6 Address Age Link-layer Addr State Interface

FE80::D105:B57A:C79A:3CED 47 60eb.69ae.c9b8 STALE Fa4

2001:DB8:10:0:E85A:E868:9DDC:62AE 64 60eb.69ae.c9b8 STALE Fa4

Here is what I get with the command "show ipv6 int fa4" :

R2#sh ipv int fa4

FastEthernet4 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::7E69:F6FF:FEDD:B594

No Virtual link-local address(es):

Global unicast address(es):

2001:DB8:10::1, subnet is 2001:DB8:10::/64

Joined group address(es):

FF02::1

FF02::2

FF02::1:FF00:1

FF02::1:FFDD:B594

MTU is 1500 bytes

ICMP error messages limited to one every 100 milliseconds

ICMP redirects are enabled

ICMP unreachables are sent

ND DAD is enabled, number of DAD attempts: 1

ND reachable time is 30000 milliseconds (using 30000)

ND advertised reachable time is 0 (unspecified)

ND advertised retransmit interval is 0 (unspecified)

ND router advertisements are sent every 200 seconds

ND router advertisements live for 1800 seconds

ND advertised default router preference is Medium

Hosts use stateless autoconfig for addresses.

I wonder whether my iOS version can manage the VPN tunnel IPv6 because I have no problem with the virtual interfaces on IPv4 ...

Marcin Latosiewicz · ‎02-06-2014

Hmmmmm intresting, what's going on R1 when you have same debugs enabled?

I've labbed this quickly in the background and had no problems to get this up and running.

My config (obviously different IP addressing)

interface Tunnel99

no ip address

ipv6 enable

ipv6 eigrp 100

tunnel source Ethernet0/0

tunnel mode ipsec ipv6

tunnel destination 2001:DB8::1

tunnel protection ipsec profile vpnv6

end

crypto logging session

crypto isakmp policy 10

encr aes 256

hash md5

authentication pre-share

group 5

crypto isakmp key cisco address ipv6 ::/0

crypto ipsec transform-set TRE esp-aes esp-sha-hmac

crypto ipsec profile vpnv6

set transform-set TRE

R1

interface Tunnel99

no ip address

ipv6 enable

ipv6 eigrp 100

ipv6 router isis

tunnel source Ethernet0/0

tunnel mode ipsec ipv6

tunnel destination 2001:DB8::2

tunnel protection ipsec profile vpnv6

grio44001 · ‎02-06-2014

I just saw thanks to your configuration that I forget to put "group 5" in "crypto isakmp policy 10" so I added and I changed encryption using the example of your policy. But I still have the same problem ...

The result of the debug mode router R1 :

R1#debug cry ips

Crypto IPSEC debugging is on

R1#

*Feb 6 14:12:21.099: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 2001:DB8:10::2:0, remote= 2001:DB8:10::1:0,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0

*Feb 6 14:12:21.099: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 14:12:21.099: ISAKMP:(0):peer does not do paranoid keepalives.

*Feb 6 14:12:21.099: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 2001:DB8:10::1)

*Feb 6 14:12:21.099: ISAKMP: Unlocking peer struct 0x85E751E8 for isadb_mark_sa_deleted(), count 0

*Feb 6 14:12:21.099: ISAKMP: Deleting peer node by peer_reap for 2001:DB8:10::1: 85E751E8

*Feb 6 14:12:21.099: ISAKMP:(0):deleting node -1164386253 error FALSE reason "IKE deleted"

*Feb 6 14:12:21.099: ISAKMP:(0):deleting node -1781700608 error FALSE reason "IKE deleted"

*Feb 6 14:12:21.099: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Feb 6 14:12:21.103: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

*Feb 6 14:12:21.103: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Feb 6 14:13:11.099: ISAKMP:(0):purging node -1164386253

*Feb 6 14:13:11.099: ISAKMP:(0):purging node -1781700608

*Feb 6 14:13:21.099: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 2001:DB8:10::2:500, remote= 2001:DB8:10::1:500,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0,

protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Feb 6 14:13:21.099: ISAKMP:(0): SA request profile is (NULL)

*Feb 6 14:13:21.099: ISAKMP: Created a peer struct for 2001:DB8:10::1, peer port 500

*Feb 6 14:13:21.099: ISAKMP: New peer created peer = 0x85E855B0 peer_handle = 0x80000037

*Feb 6 14:13:21.099: ISAKMP: Locking peer struct 0x85E855B0, refcount 1 for isakmp_initiator

*Feb 6 14:13:21.099: ISAKMP: local port 500, remote port 500

*Feb 6 14:13:21.099: ISAKMP: set new node 0 to QM_IDLE

*Feb 6 14:13:21.099: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 888769FC

*Feb 6 14:13:21.099: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Feb 6 14:13:21.099: ISAKMP:(0):found peer pre-shared key matching 2001:DB8:10::1

*Feb 6 14:13:21.099: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Feb 6 14:13:21.099: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Feb 6 14:13:21.099: ISAKMP:(0): beginning Main Mode exchange

*Feb 6 14:13:21.099: ISAKMP:(0): sending packet to 2001:DB8:10::1 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 14:13:21.099: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 14:13:21.103: ISAKMP:(0):purging SA., sa=85EB7988, delme=85EB7988

*Feb 6 14:13:31.099: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 14:13:31.099: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Feb 6 14:13:31.099: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 14:13:31.099: ISAKMP:(0): sending packet to 2001:DB8:10::1 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 14:13:31.099: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 14:13:41.099: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 14:13:41.099: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Feb 6 14:13:41.099: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 14:13:41.099: ISAKMP:(0): sending packet to 2001:DB8:10::1 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 14:13:41.099: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 14:13:51.099: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 14:13:51.099: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Feb 6 14:13:51.099: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 14:13:51.099: ISAKMP:(0): sending packet to 2001:DB8:10::1 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 14:13:51.099: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 14:13:51.099: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 2001:DB8:10::2:0, remote= 2001:DB8:10::1:0,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0

*Feb 6 14:13:51.099: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 2001:DB8:10::2:500, remote= 2001:DB8:10::1:500,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0,

protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Feb 6 14:13:51.099: ISAKMP: set new node 0 to QM_IDLE

*Feb 6 14:13:51.099: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 2001:DB8:10::2, remote 2001:DB8:10::1)

*Feb 6 14:13:51.099: ISAKMP: Error while processing SA request: Failed to initialize SA

*Feb 6 14:13:51.099: ISAKMP: Error while processing KMI message 0, error 2.

*Feb 6 14:14:01.099: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 14:14:01.099: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Feb 6 14:14:01.099: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 14:14:01.099: ISAKMP:(0): sending packet to 2001:DB8:10::1 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 14:14:01.099: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 14:14:11.099: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 14:14:11.099: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Feb 6 14:14:11.099: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Feb 6 14:14:11.099: ISAKMP:(0): sending packet to 2001:DB8:10::1 my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 6 14:14:11.099: ISAKMP:(0):Sending an IKE IPv6 Packet.

*Feb 6 14:14:21.099: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 2001:DB8:10::2:0, remote= 2001:DB8:10::1:0,

local_proxy= ::/0/256/0,

remote_proxy= ::/0/256/0

*Feb 6 14:14:21.099: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Feb 6 14:14:21.099: ISAKMP:(0):peer does not do paranoid keepalives.

*Feb 6 14:14:21.099: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 2001:DB8:10::1)

*Feb 6 14:14:21.099: ISAKMP: Unlocking peer struct 0x85E855B0 for isadb_mark_sa_deleted(), count 0

*Feb 6 14:14:21.099: ISAKMP: Deleting peer node by peer_reap for 2001:DB8:10::1: 85E855B0

*Feb 6 14:14:21.099: ISAKMP:(0):deleting node -376393661 error FALSE reason "IKE deleted"

*Feb 6 14:14:21.099: ISAKMP:(0):deleting node -1380673140 error FALSE reason "IKE deleted"

*Feb 6 14:14:21.099: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Feb 6 14:14:21.099: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

Marcin Latosiewicz · ‎02-06-2014

OK, so same result on both ends as far as debugs go, reachable via ping.

Could be a problem with UDP socket on port 500.

You can check:

r1#show control-plane host open-ports

Active internet connections (servers and established)

Prot Local Address Foreign Address Service State

tcp *:23 *:0 Telnet LISTEN

udp *:4500 *:0 ISAKMP LISTEN

udp *:500 *:0 ISAKMP LISTEN

I would say you can confirm with debug ipv6 packet access-list NAME_OF_ACL det whether you are forwarding those packets out the right interface and reciving them.

In my example:

ipv6 access-list TEST

permit udp any any

debug ipv6 packet access-list TEST detail

packet going out

*Feb  6 14:25:25.089: IPV6: source 2001:DB8::1 (local)
*Feb  6 14:25:25.089:       dest 2001:DB8::2 (Ethernet0/0)
*Feb  6 14:25:25.089:       traffic class 192, flow 0x0, len 136+0, prot 17, hops 64, originating

packet coming in

*Feb  6 14:25:25.090: IPV6: source 2001:DB8::2 (Ethernet0/0)
*Feb  6 14:25:25.090:       dest 2001:DB8::1 (Ethernet0/0)
*Feb  6 14:25:25.090:       traffic class 192, flow 0x0, len 136+14, prot 17, hops 64, forward to ulp

grio44001 · ‎02-06-2014

I can not run the following command: "show control-plane host open-ports."

By cons I put up your ACLs on the R1 router and got the following results:

14:39:38.367: traffic class 224, flow 0x0, len 72+0, prot 58, hops 255, originating

*Feb 6 14:39:38.367: IPv6-Fwd: Created tmp mtu cache entry for FE80::C28C:60FF:F EF9:D2B8 2001:DB8:10::1 00000000

*Feb 6 14:39:38.367: IPv6-Fwd: Sending on FastEthernet4

*Feb 6 14:39:38.367: IPv6-Fwd: Destination lookup for FE80::C28C:60FF:FEF9:D2B8 : Local, i/f=FastEthernet4, nexthop=FE80::C28C:60FF:FEF9:D2B8

*Feb 6 14:39:38.367: IPV6: source 2001:DB8:10::1 (FastEthernet4)

*Feb 6 14:39:38.367: dest FE80::C28C:60FF:FEF9:D2B8 (FastEthernet4)

*Feb 6 14:39:38.367: traffic class 224, flow 0x0, len 64+14, prot 58, hops 255, forward to ulp

*Feb 6 14:39:43.487: IPv6-Fwd: Destination lookup for FE80::C28C:60FF:FEF9:D2B8 : Local, i/f=FastEthernet4, nexthop=FE80::C28C:60FF:FEF9:D2B8

*Feb 6 14:39:43.487: IPV6: source FE80::7E69:F6FF:FEDD:B594 (FastEthernet4)

*Feb 6 14:39:43.487: dest FE80::C28C:60FF:FEF9:D2B8 (FastEthernet4)

*Feb 6 14:39:43.487: traffic class 224, flow 0x0, len 72+14, prot 58, hops 255, forward to ulp

*Feb 6 14:39:43.491: IPV6: source FE80::C28C:60FF:FEF9:D2B8 (local)

*Feb 6 14:39:43.491: dest FE80::7E69:F6FF:FEDD:B594 (FastEthernet4)

*Feb 6 14:39:43.491: traffic class 224, flow 0x0, len 64+0, prot 58, hops 255, originating

*Feb 6 14:39:43.491: IPv6-Fwd: Created tmp mtu cache entry for FE80::C28C:60FF:F EF9:D2B8 FE80::7E69:F6FF:FEDD:B594 00000000

*Feb 6 14:39:43.491: IPv6-Fwd: Sending on FastEthernet4

*Feb 6 14:39:48.551: IPV6: source FE80::C28C:60FF:FEF9:D2B8 (local)

*Feb 6 14:39:48.551: dest FE80::7E69:F6FF:FEDD:B594 (FastEthernet4)

*Feb 6 14:39:48.551: traffic class 224, flow 0x0, len 72+0, prot 58, hops 255, originating

*Feb 6 14:39:48.551: IPv6-Fwd: Sending on FastEthernet4

*Feb 6 14:39:48.551: IPv6-Fwd: Destination lookup for FE80::C28C:60FF:FEF9:D2B8 : Local, i/f=FastEthernet4, nexthop=FE80::C28C:60FF:FEF9:D2B8

*Feb 6 14:39:48.551: IPV6: source FE80::7E69:F6FF:FEDD:B594 (FastEthernet4)

*Feb 6 14:39:48.551: dest FE80::C28C:60FF:FEF9:D2B8 (FastEthernet4)

*Feb 6 14:39:48.551: traffic class 224, flow 0x0, len 64+14, prot 58, hops 255, forward to ulp

PS : I updated my original configuration with modifications.

grio44001 · ‎02-07-2014

Thank you for spend time trying to help me,

I was wondering if the fact of using static routing can cause problems in routing on virtual interfaces "Tunnel"? It is better to use "OSPFv3" or another type of dynamic routing for IPv6 VPN tunnel ?

Marcin Latosiewicz · ‎02-07-2014

Those debugs didn't catch any packets we were looking for (UDP/500) :-)

If it was a routing problem pings would fail, too. The two hosts are in same L2 domain, they should both have a connected route. (Unless there's a well hidden typo somewhere, which is always possible)

Get a TAC case open up, I would say this one would benefit from live troubleshooting :-)

grio44001 · ‎02-10-2014

There is there a specific command to enable IPv6 routing as "ipv6 unicast-routing" ?

grio44001 · ‎02-11-2014

I tried to set up a FlexVPN it seemed like a good alternative to traditional VPN tunnel using the following Cisco documentation: http://www.cisco.com/c/en/us/support/ docs/security/flexvpn/115783-flexvpn-ip-lan-00.html but I found myself with the same problem with my tunnel interfaces do not want to switch to "UP".