cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10453
Views
0
Helpful
18
Replies

Can anyone tell me what is going wrong here?

rnsimpson
Level 1
Level 1

Trying to establish an ipsec vpn connection to a remote site but also have the router configured for cisco vpn client connections.

debug crypto isakmp output in the attatched file:

Thanks in advance

1 Accepted Solution

Accepted Solutions

Rob

Thanks for the clarification. Since we are not finding the problem when we look on your router, perhaps we should look at the other end. What can you tell us about the device on the other end of the VPN and how it is configured?

HTH

Rick

HTH

Rick

View solution in original post

18 Replies 18

5220
Level 4
Level 4

Hi,

Where is the problem? With the site to site or the VPN client.

What happens usually when you have both enabled on a router is that for the site to site you need to specify that no client authentication is required:

crypto isakmp key xxx address xxx no-xauth

"Without the ability to disable Xauth, a user cannot select which peer on the same crypto map should use Xauth. That is, if a user has router-to-router IP security (IPSec) on the same crypto map as a virtual private network (VPN)-client-to-Cisco-IOS IPSec, both peers are prompted for a username and password."

For more info:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnxauth.html

Please rate if this helped.

Regards,

Daniel

Hi Daniel,

The vpn clients work fine, it is the site to site one that I am having trouble with.

show crypto isakmp sa shows the peer MM_NO_STATE

It seems to get through phase 1 ok but then the sa is deleted.

The messages below are from the logs and this is where it looks to be going wrong?

19:54:55.959: ISAKMP:(2259):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

19:54:55.983: ISAKMP (0:2259): received packet from 202.12.0.4 dport 500 sport 500 Global (I) QM_IDLE

19:54:55.983: ISAKMP: set new node 756490430 to QM_IDLE

19:54:55.983: ISAKMP:(2259): processing HASH payload. message ID = 756490430

19:54:55.983: ISAKMP:received payload type 18

19:54:55.983: ISAKMP:(2259): processing DELETE_WITH_REASON payload, message ID = 756490430, reason: Unknown delete reason!

19:54:55.983: ISAKMP:(2259):peer does not do paranoid keepalives.

19:54:55.983: ISAKMP:(2259):deleting SA reason "No error" state (I) QM_IDLE (peer 202.12.0.4)

19:54:55.983: ISAKMP:(2259):deleting node 756490430 error FALSE reason "Informational (in) state 1"

Rob

It would help us to see what is going wrong if you would post the configuration of the router.

HTH

Rick

HTH

Rick

Hi Rick,

I have attached the relevant parts of the routers configuration. If there is anything missing please let me know.

Kind regards,

Rob

Rob

I believe that Daniel correctly identified the issue in his post as being related to xauth. For user (software client) VPN the router needs to authenticate the remote by prompting for ID and password and needs to authenticate them. But for site to site vpn the router should not prompt for ID and password. You achieve this by adding a parameter on the pre-shared-key command. I suggest that you try this and see if it works better:

crypto keyring ltnz

pre-shared-key address 202.12.0.4 key xxxxxx no-xauth

HTH

Rick

HTH

Rick

Hi Rick,

There is no option to add no-xauth at the end of that line under the keyring config.

So instead I removed the keyring and just added

crypto isakmp key xxxx address x.x.x.x no-xauth

crypto isakmp profile ltnz

keyring default

I ran some more tests but still nothing has changed.

It seems very strange, especially the debug line below

00:11:02.894: ISAKMP:(2074): processing DELETE_WITH_REASON payload, message ID = 1453285237, reason: Unknown delete reason!

Your help is much appreciated.

Kind regards,

Rob

Rob

I had hoped that the no-xauth would fix the issue. But if it does not then we will look for something else. Since the debug that you posted shows that the peers get through Main mode negotiation and have problems in Quick mode, then I wonder if the output of debug crypto ipsec might have something helpful.

And it would be a good idea to check the IPSec parameters on this router against the parameters on the other router to be sure that there is not some mismatch.

HTH

Rick

HTH

Rick

Hi Rick,

Please the the attached file for debug crypto ipsec output.

Kind regards,

Rob

Sorry here is the attachment.

Rob

Thanks for the debug output. It seems to be not as helpful as I had hoped. I am very curious about this line in the debug:

protocol= ESP, transform= NONE (Tunnel),

it puzzles me about the transform.

Perhaps it might help if you would post the output of show crypto map from the router.

HTH

Rick

HTH

Rick

Hi Rick,

I have attached the output of a show crypto map

Thanks again

Rob

Rob

I am a bit puzzled. The config that you posted shows this for the transform set:

set transform-set LTNZ2

But the output of show crypto map shows that the transform is

Transform sets={

LTNZ,

}

Can you shed any light on this?

HTH

Rick

HTH

Rick

Hi Rick,

Sorry yeah as part of my troubleshooting I created a second transform set named LTNZ2 and that is the one that was in use when I captured the config. I found that no matter which transform set I used the debug output was always the same.

Rob

Thanks for the clarification. Since we are not finding the problem when we look on your router, perhaps we should look at the other end. What can you tell us about the device on the other end of the VPN and how it is configured?

HTH

Rick

HTH

Rick