cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2810
Views
0
Helpful
4
Replies

ISAKMP and IPSEC

ak646j
Level 1
Level 1

My Association is not coming UP with the following configurations - Please suggest

 

crypto isakmp policy 2
encr aes 256
hash sha256
authentication pre-share
group 14

crypto isakmp key XXXXX address <IP Address>


crypto ipsec transform-set aes256 esp-aes 256 esp-sha256-hmac
mode tunnel



crypto map bun 14 ipsec-isakmp
 description <description>
 set peer <Peer IP>
set transform-set aes256
 match address <IP Extended list>

 

Although tunnel is UP with the below Parameters -

==========================================

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 
crypto ipsec transform-set CSC-3DES esp-3des esp-md5-hmac

 

IOS Used is routers

====================

Router-1 Image - System image file is "bootflash:asr1000-universalk9.16.03.06.SPA.bin"


Router-2 Image - System image file is "bootflash:asr1000rp1-adventerprisek9.03.16.05.S.155-3.S5-ext.bi"

 

Does any one has any clue why our IPSEC is not coming up.

Here are debug logs.

==============DEBUG LOGS=======================

to 20.138.247.37 my_port 500 peer_port 500 (R) QM_IDLE      
585056: Aug 14 09:06:40.481 GMT: ISAKMP: (53194):Sending an IKE IPv4 Packet.
585057: Aug 14 09:06:40.482 GMT: ISAKMP: (53194):Node 4100728720, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
585058: Aug 14 09:06:40.482 GMT: ISAKMP: (53194):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
585059: Aug 14 09:06:40.808 GMT: ISAKMP-PAK: (53194):received packet from 20.138.247.37 dport 500 sport 500 Global (R) QM_IDLE      
585060: Aug 14 09:06:40.808 GMT: ISAKMP: (53194):set new node 3710995957 to QM_IDLE      
585061: Aug 14 09:06:40.808 GMT: ISAKMP: (53194):processing HASH payload. message ID = 3710995957
585062: Aug 14 09:06:40.808 GMT: ISAKMP: (53194):processing DELETE payload. message ID = 3710995957
585063: Aug 14 09:06:40.808 GMT: ISAKMP: (53194):deleting other-spi 3332117770 message ID = 4100728720
585064: Aug 14 09:06:40.808 GMT: ISAKMP-ERROR: (53194):deleting node 4100728720 error TRUE reason "Delete Larval"
585065: Aug 14 09:06:40.808 GMT: ISAKMP: (53194):peer does not do paranoid keepalives.
585066: Aug 14 09:06:40.808 GMT: ISAKMP: (53194):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0xC69C150A)
585067: Aug 14 09:06:40.808 GMT: ISAKMP: (53194):deleting node 3710995957 error FALSE reason "Informational (in) state 1"
585068: Aug 14 09:06:40.808 GMT: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
585069: Aug 14 09:06:40.977 GMT: %FMANFP-6-IPACCESSLOGP: SIP0: fman_fp_image:  list INET-Filter-IN denied tcp 41.239.197.126(26022) -> 20.139.3.37(23), 1 packet
585070: Aug 14 09:06:41.718 GMT: ISAKMP: (53194):retransmitting phase 2 QM_IDLE       2951673060 ...
585071: Aug 14 09:06:41.718 GMT: ISAKMP: (53194):: incrementing error counter on node, attempt 4 of 5: retransmit phase 2
585072: Aug 14 09:06:41.718 GMT: ISAKMP: (53194):retransmitting phase 2 2951673060 QM_IDLE      
585073: Aug 14 09:06:41.718 GMT: ISAKMP-PAK: (53194):sending packet to 20.138.247.37 my_port 500 peer_port 500 (R) QM_IDLE      
585074: Aug 14 09:06:41.718 GMT: ISAKMP: (53194):Sending an IKE IPv4 Packet.
585075: Aug 14 09:06:41.918 GMT: ISAKMP: (53194):retransmitting phase 2 QM_IDLE       2125402457 ...
585076: Aug 14 09:06:41.918 GMT: ISAKMP: (53194):: incrementing error counter on node, attempt 3 of 5: retransmit phase 2
585077: Aug 14 09:06:41.918 GMT: ISAKMP: (53194):retransmitting phase 2 2125402457 QM_IDLE      
585078: Aug 14 09:06:41.918 GMT: ISAKMP-PAK: (53194):sending packet to 20.138.247.37 my_port 500 peer_port 500 (R) QM_IDLE      
585079: Aug 14 09:06:41.918 GMT: ISAKMP: (53194):Sending an IKE IPv4 Packet.
585080: Aug 14 09:06:46.027 GMT: %FMANFP-6-IPACCESSLOGP: SIP0: fman_fp_image:  list INET-Filter-IN denied udp 37.49.231.171(5327) -> 20.139.3.37(5070), 1 packet
585081: Aug 14 09:06:51.718 GMT: ISAKMP: (53194):retransmitting phase 2 QM_IDLE       2951673060 ...
585082: Aug 14 09:06:51.718 GMT: ISAKMP: (53194):: incrementing error counter on node, attempt 5 of 5: retransmit phase 2
585083: Aug 14 09:06:51.718 GMT: ISAKMP: (53194):retransmitting phase 2 2951673060 QM_IDLE      
585084: Aug 14 09:06:51.718 GMT: ISAKMP-PAK: (53194):sending packet to 20.138.247.37 my_port 500 peer_port 500 (R) QM_IDLE      
585085: Aug 14 09:06:51.718 GMT: ISAKMP: (53194):Sending an IKE IPv4 Packet.
585086: Aug 14 09:06:51.918 GMT: ISAKMP: (53194):retransmitting phase 2 QM_IDLE       2125402457 ...
585087: Aug 14 09:06:51.918 GMT: ISAKMP: (53194):: incrementing error counter on node, attempt 4 of 5: retransmit phase 2
585088: Aug 14 09:06:51.918 GMT: ISAKMP: (53194):retransmitting phase 2 2125402457 QM_IDLE      
585089: Aug 14 09:06:51.918 GMT: ISAKMP-PAK: (53194):sending packet to 20.138.247.37 my_port 500 peer_port 500 (R) QM_IDLE      
585090: Aug 14 09:06:51.918 GMT: ISAKMP: (53194):Sending an IKE IPv4 Packet.
585091: Aug 14 09:06:52.045 GMT: ISAKMP: (53194):purging node 1815614818
585092: Aug 14 09:06:57.350 GMT: ISAKMP: (53194):purging node 774373182
585093: Aug 14 09:06:57.350 GMT: ISAKMP: (53194):purging node 1530294766
585094: Aug 14 09:07:00.077 GMT: ISAKMP: (53194):set new node 0 to QM_IDLE      
585095: Aug 14 09:07:00.077 GMT: ISAKMP: (53194):SA has outstanding requests  (local 20.139.3.37 port 500, remote 20.138.247.37 port 500)
585096: Aug 14 09:07:00.077 GMT: ISAKMP: (53194):sitting IDLE. Starting QM immediately (QM_IDLE      )
585097: Aug 14 09:07:00.077 GMT: ISAKMP: (53194):beginning Quick Mode exchange, M-ID of 2742021518
585098: Aug 14 09:07:00.077 GMT: ISAKMP: (53194):QM Initiator gets spi
585099: Aug 14 09:07:00.078 GMT: ISAKMP-PAK: (53194):sending packet to 20.138.247.37 my_port 500 peer_port 500 (R) QM_IDLE      
585100: Aug 14 09:07:00.078 GMT: ISAKMP: (53194):Sending an IKE IPv4 Packet.
585101: Aug 14 09:07:00.078 GMT: ISAKMP: (53194):Node 2742021518, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
585102: Aug 14 09:07:00.078 GMT: ISAKMP: (53194):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
585103: Aug 14 09:07:00.404 GMT: ISAKMP-PAK: (53194):received packet from 20.138.247.37 dport 500 sport 500 Global (R) QM_IDLE      
585104: Aug 14 09:07:00.404 GMT: ISAKMP: (53194):set new node 1646157093 to QM_IDLE      
585105: Aug 14 09:07:00.404 GMT: ISAKMP: (53194):processing HASH payload. message ID = 1646157093
585106: Aug 14 09:07:00.404 GMT: ISAKMP: (53194):processing DELETE payload. message ID = 1646157093
585107: Aug 14 09:07:00.404 GMT: ISAKMP: (53194):peer does not do paranoid keepalives.
585108: Aug 14 09:07:00.405 GMT: ISAKMP: (53194):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x7392EE0)
585109: Aug 14 09:07:00.405 GMT: ISAKMP: (53194):deleting node 1646157093 error FALSE reason "Informational (in) state 1"
585110: Aug 14 09:07:01.717 GMT: ISAKMP: (53194):retransmitting phase 2 QM_IDLE       2951673060 ...
585111: Aug 14 09:07:01.717 GMT: ISAKMP-ERROR: (53194):deleting node 2951673060 error TRUE reason "Phase 2 err count exceeded"
585112: Aug 14 09:07:01.717 GMT: ISAKMP-ERROR: (53194):QM node retransmission timeout, deleting IKE SA immediately
585113: Aug 14 09:07:01.717 GMT: ISAKMP: (53194):peer does not do paranoid keepalives.
585114: Aug 14 09:07:01.717 GMT: ISAKMP-ERROR: (53194):deleting SA reason "Death by retransmission P2" state (R) QM_IDLE       (peer 20.138.247.37)
585115: Aug 14 09:07:01.717 GMT: ISAKMP: (53194):set new node 1412544931 to QM_IDLE      
585116: Aug 14 09:07:01.717 GMT: ISAKMP-PAK: (53194):sending packet to 20.138.247.37 my_port 500 peer_port 500 (R) QM_IDLE      
585117: Aug 14 09:07:01.718 GMT: ISAKMP: (53194):Sending an IKE IPv4 Packet.
585118: Aug 14 09:07:01.718 GMT: ISAKMP: (53194):purging node 1412544931
585119: Aug 14 09:07:01.718 GMT: ISAKMP: (53194):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
585120: Aug 14 09:07:01.718 GMT: ISAKMP: (53194):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

585121: Aug 14 09:07:01.718 GMT: ISAKMP-ERROR: (53194):deleting SA reason "Death by retransmission P2" state (R) QM_IDLE       (peer 20.138.247.37)
585122: Aug 14 09:07:01.718 GMT: ISAKMP: (0):Unlocking peer struct 0x7FDFCFF49EF8 for isadb_mark_sa_deleted(), count 0
585123: Aug 14 09:07:01.718 GMT: ISAKMP: (0):Deleting peer node by peer_reap for 20.138.247.37: 7FDFCFF49EF8
585124: Aug 14 09:07:01.718 GMT: ISAKMP: (53194):deleting node 2125402457 error FALSE reason "IKE deleted"
585125: Aug 14 09:07:01.718 GMT: ISAKMP: (53194):deleting node 2742021518 error FALSE reason "IKE deleted"
585126: Aug 14 09:07:01.718 GMT: ISAKMP: (53194):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
585127: Aug 14 09:07:01.718 GMT: ISAKMP: (53194):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

585128: Aug 14 09:07:02.037 GMT: ISAKMP-PAK: (53194):received packet from 20.138.247.37 dport 500 sport 500 Global (R) MM_NO_STATE
585129: Aug 14 09:07:02.241 GMT: %FMANFP-6-IPACCESSLOGP: SIP0: fman_fp_image:  list INET-Filter-IN denied tcp 146.185.222.28(48089) -> 20.139.3.37(12902), 1 packet
585130: Aug 14 09:07:02.245 GMT: ISAKMP: (53194):purging node 2865639406

=====================================================

 

4 Replies 4

omz
VIP Alumni
VIP Alumni
 

The encryption parameters used on one peer must match to the parameters used on the other peer. If your IPSEC does come up when using these parameters

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto ipsec transform-set CSC-3DES esp-3des esp-md5-hmac

then it suggests that this is what the peer is configured to use and that is why your VPN does not work when you change your side to the more secure set of parameters.

 

HTH

 

Rick

 

HTH

Rick

Hello Rick

 

Our Tunnel is up and running fine over these below parameters.

 

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto ipsec transform-set CSC-3DES esp-3des esp-md5-hmac

 

 

=========Problem===========================

Our issue is we are going to change these above parameters with new one.

here are new one. But over tunnel are not coming up with these new config.

 

NOTE: Policy 1 and 2 both are configured on same routers.

 

crypto isakmp policy 2
encr aes 256
hash sha256
authentication pre-share
group 14

crypto isakmp key XXXXX address <IP Address>


crypto ipsec transform-set aes256 esp-aes 256 esp-sha256-hmac
mode tunnel



crypto map bun 14 ipsec-isakmp
 description <description>
 set peer <Peer IP>
set transform-set aes256
 match address <IP Extended list>

Thanks for the additional information. I understand that your VPN is working with policy 1 and I understand that you will be changing to use policy 2 which is much more secure. What I am trying to explain is that as you make changes to implement policy 2 that the peer device also needs to make similar changes to implement a new policy that will match your policy 2.

 

HTH

 

Rick

HTH

Rick