08-01-2008 01:30 AM - edited 03-09-2019 09:12 PM
Trying to establish an ipsec vpn connection to a remote site but also have the router configured for cisco vpn client connections.
debug crypto isakmp output in the attatched file:
Thanks in advance
Solved! Go to Solution.
08-03-2008 06:23 PM
Rob
Thanks for the clarification. Since we are not finding the problem when we look on your router, perhaps we should look at the other end. What can you tell us about the device on the other end of the VPN and how it is configured?
HTH
Rick
08-01-2008 04:21 AM
Hi,
Where is the problem? With the site to site or the VPN client.
What happens usually when you have both enabled on a router is that for the site to site you need to specify that no client authentication is required:
crypto isakmp key xxx address xxx no-xauth
"Without the ability to disable Xauth, a user cannot select which peer on the same crypto map should use Xauth. That is, if a user has router-to-router IP security (IPSec) on the same crypto map as a virtual private network (VPN)-client-to-Cisco-IOS IPSec, both peers are prompted for a username and password."
For more info:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnxauth.html
Please rate if this helped.
Regards,
Daniel
08-02-2008 12:02 PM
Hi Daniel,
The vpn clients work fine, it is the site to site one that I am having trouble with.
show crypto isakmp sa shows the peer MM_NO_STATE
It seems to get through phase 1 ok but then the sa is deleted.
The messages below are from the logs and this is where it looks to be going wrong?
19:54:55.959: ISAKMP:(2259):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
19:54:55.983: ISAKMP (0:2259): received packet from 202.12.0.4 dport 500 sport 500 Global (I) QM_IDLE
19:54:55.983: ISAKMP: set new node 756490430 to QM_IDLE
19:54:55.983: ISAKMP:(2259): processing HASH payload. message ID = 756490430
19:54:55.983: ISAKMP:received payload type 18
19:54:55.983: ISAKMP:(2259): processing DELETE_WITH_REASON payload, message ID = 756490430, reason: Unknown delete reason!
19:54:55.983: ISAKMP:(2259):peer does not do paranoid keepalives.
19:54:55.983: ISAKMP:(2259):deleting SA reason "No error" state (I) QM_IDLE (peer 202.12.0.4)
19:54:55.983: ISAKMP:(2259):deleting node 756490430 error FALSE reason "Informational (in) state 1"
08-02-2008 12:57 PM
Rob
It would help us to see what is going wrong if you would post the configuration of the router.
HTH
Rick
08-02-2008 01:09 PM
08-02-2008 03:20 PM
Rob
I believe that Daniel correctly identified the issue in his post as being related to xauth. For user (software client) VPN the router needs to authenticate the remote by prompting for ID and password and needs to authenticate them. But for site to site vpn the router should not prompt for ID and password. You achieve this by adding a parameter on the pre-shared-key command. I suggest that you try this and see if it works better:
crypto keyring ltnz
pre-shared-key address 202.12.0.4 key xxxxxx no-xauth
HTH
Rick
08-02-2008 04:20 PM
Hi Rick,
There is no option to add no-xauth at the end of that line under the keyring config.
So instead I removed the keyring and just added
crypto isakmp key xxxx address x.x.x.x no-xauth
crypto isakmp profile ltnz
keyring default
I ran some more tests but still nothing has changed.
It seems very strange, especially the debug line below
00:11:02.894: ISAKMP:(2074): processing DELETE_WITH_REASON payload, message ID = 1453285237, reason: Unknown delete reason!
Your help is much appreciated.
Kind regards,
Rob
08-02-2008 06:13 PM
Rob
I had hoped that the no-xauth would fix the issue. But if it does not then we will look for something else. Since the debug that you posted shows that the peers get through Main mode negotiation and have problems in Quick mode, then I wonder if the output of debug crypto ipsec might have something helpful.
And it would be a good idea to check the IPSec parameters on this router against the parameters on the other router to be sure that there is not some mismatch.
HTH
Rick
08-02-2008 06:25 PM
Hi Rick,
Please the the attached file for debug crypto ipsec output.
Kind regards,
Rob
08-02-2008 06:27 PM
08-02-2008 07:02 PM
Rob
Thanks for the debug output. It seems to be not as helpful as I had hoped. I am very curious about this line in the debug:
protocol= ESP, transform= NONE (Tunnel),
it puzzles me about the transform.
Perhaps it might help if you would post the output of show crypto map from the router.
HTH
Rick
08-02-2008 07:50 PM
08-03-2008 02:15 PM
Rob
I am a bit puzzled. The config that you posted shows this for the transform set:
set transform-set LTNZ2
But the output of show crypto map shows that the transform is
Transform sets={
LTNZ,
}
Can you shed any light on this?
HTH
Rick
08-03-2008 02:56 PM
Hi Rick,
Sorry yeah as part of my troubleshooting I created a second transform set named LTNZ2 and that is the one that was in use when I captured the config. I found that no matter which transform set I used the debug output was always the same.
08-03-2008 06:23 PM
Rob
Thanks for the clarification. Since we are not finding the problem when we look on your router, perhaps we should look at the other end. What can you tell us about the device on the other end of the VPN and how it is configured?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide