Who Me Too'd this topic

Philippe Latu · ‎12-12-2012

Hello,

I am migration an IPsec site to site VPN config to a new ASR1001 router «facing» a Linux box (ipsec-tools + racoon).

As the Debian Linux does not offer VTI, I am using a crypto map.

The working config is given below with the corresponding logs on the Linux side.

When I try to apply this previously working config to the ASR1001, I get the following error :

000855: *Dec 12 18:28:21.859 UTC: %ACE-3-TRANSERR: IOSXE-ESP(14): IKEA trans 0x1350; opcode 0x60; param 0x2EE; error 0x5; retry cnt 0

Any hint on the error code 0x5 ?

The Linux side logs show timing problems ...

Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: initiate new phase 1 negotiation: 194.214.196.2[500]<=>130.120.124.8[500]

Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: begin Identity Protection mode.

Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: CISCO-UNITY

Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: DPD

Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: ISAKMP-SA established 194.214.196.2[500]-130.120.124.8[500] spi:5f8e6339fb954d45:e513d25e42e19d11

Dec 12 18:50:20 FAKE-AUCH-GW racoon: INFO: initiate new phase 2 negotiation: 194.214.196.2[500]<=>130.120.124.8[500]

Dec 12 18:50:39 FAKE-AUCH-GW racoon: INFO: respond new phase 2 negotiation: 194.214.196.2[500]<=>130.120.124.8[500]

Dec 12 18:50:50 FAKE-AUCH-GW racoon: NOTIFY: the packet is retransmitted by 130.120.124.8[500] (1).

Dec 12 18:50:50 FAKE-AUCH-GW racoon: INFO: IPsec-SA expired: ESP/Transport 130.120.124.8[500]->194.214.196.2[500] spi=30866420(0x1d6fbf4)

Dec 12 18:50:50 FAKE-AUCH-GW racoon: WARNING: PF_KEY EXPIRE message received from kernel for SA being negotiated. Stopping negotiation.

Dec 12 18:50:50 FAKE-AUCH-GW racoon: INFO: IPsec-SA expired: AH/Transport 130.120.124.8[500]->194.214.196.2[500] spi=258959(0x3f38f)

Dec 12 18:50:59 FAKE-AUCH-GW racoon: INFO: initiate new phase 2 negotiation: 194.214.196.2[500]<=>130.120.124.8[500]

Dec 12 18:51:00 FAKE-AUCH-GW racoon: NOTIFY: the packet is retransmitted by 130.120.124.8[500] (1).

Dec 12 18:51:09 FAKE-AUCH-GW racoon: INFO: IPsec-SA expired: ESP/Transport 130.120.124.8[500]->194.214.196.2[500] spi=95427747(0x5b01ca3)

Dec 12 18:51:09 FAKE-AUCH-GW racoon: WARNING: PF_KEY EXPIRE message received from kernel for SA being negotiated. Stopping negotiation.

Dec 12 18:51:09 FAKE-AUCH-GW racoon: INFO: IPsec-SA expired: AH/Transport 130.120.124.8[500]->194.214.196.2[500] spi=159198575(0x97d2d6f)

Dec 12 18:51:09 FAKE-AUCH-GW racoon: INFO: respond new phase 2 negotiation: 194.214.196.2[500]<=>130.120.124.8[500]

Dec 12 18:51:10 FAKE-AUCH-GW racoon: NOTIFY: the packet is retransmitted by 130.120.124.8[500] (1).

!###########################################

! IOS Running config

!

crypto isakmp policy 10

encr aes 256

hash md5

authentication pre-share

group 2

crypto isakmp key MY-0WN-T3RR1F1C-PR35H4R3D-K3Y address 192.0.2.66 no-xauth

!

crypto ipsec transform-set MY-0WN-TS-MD5 ah-md5-hmac esp-aes 256 esp-md5-hmac

mode transport

!

crypto map MY-0WN-MAP 1 ipsec-isakmp

set peer 192.0.2.66

set transform-set MY-0WN-TS-MD5

set pfs group2

match address 120

!

interface Tunnel0

bandwidth 45000

ip address 198.51.100.1 255.255.255.252

no ip redirects

no ip proxy-arp

ip mtu 1400

ip virtual-reassembly in

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/0

tunnel destination 192.0.2.66

tunnel path-mtu-discovery

tunnel bandwidth transmit 45000

tunnel bandwidth receive 45000

!

interface GigabitEthernet0/0

ip address 192.0.2.34 255.255.255.224

no ip redirects

no ip proxy-arp

ip virtual-reassembly in

duplex full

speed 1000

media-type gbic

negotiation auto

crypto map MY-0WN-MAP

###########################################

Linux side logs

Dec 12 08:18:30 GLA racoon: INFO: ISAKMP-SA expired 192.0.2.66[500]-192.0.2.34[500] spi:88ed3c49ea8ffe38:e568a2dd27cbec5d

Dec 12 08:18:30 GLA racoon: INFO: ISAKMP-SA deleted 192.0.2.66[500]-192.0.2.34[500] spi:88ed3c49ea8ffe38:e568a2dd27cbec5d

Dec 12 08:18:31 GLA racoon: INFO: respond new phase 1 negotiation: 192.0.2.66[500]<=>192.0.2.34[500]

Dec 12 08:18:31 GLA racoon: INFO: begin Identity Protection mode.

Dec 12 08:18:31 GLA racoon: INFO: received Vendor ID: RFC 3947

Dec 12 08:18:31 GLA racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07

Dec 12 08:18:31 GLA racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03

Dec 12 08:18:31 GLA racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012

Dec 12 08:18:31 GLA racoon: INFO: received Vendor ID: DPD

Dec 12 08:18:31 GLA racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

Dec 12 08:18:31 GLA racoon: [192.0.2.34] INFO: received INITIAL-CONTACT

Dec 12 08:18:31 GLA racoon: INFO: ISAKMP-SA established 192.0.2.66[500]-192.0.2.34[500] spi:88ed3c49e027808c:b17ba35c5b7f1e82

Dec 12 08:18:31 GLA racoon: INFO: respond new phase 2 negotiation: 192.0.2.66[500]<=>192.0.2.34[500]

Dec 12 08:18:31 GLA racoon: INFO: Update the generated policy : 192.0.2.34/32[0] 192.0.2.66/32[0] proto=any dir=in

Dec 12 08:18:31 GLA racoon: INFO: IPsec-SA established: AH/Transport 192.0.2.66[500]->192.0.2.34[500] spi=88493238(0x5464cb6)

Dec 12 08:18:31 GLA racoon: INFO: IPsec-SA established: ESP/Transport 192.0.2.66[500]->192.0.2.34[500] spi=21367141(0x1460965)

Dec 12 08:18:31 GLA racoon: INFO: IPsec-SA established: AH/Transport 192.0.2.66[500]->192.0.2.34[500] spi=1579505880(0x5e2558d8)

Dec 12 08:18:31 GLA racoon: INFO: IPsec-SA established: ESP/Transport 192.0.2.66[500]->192.0.2.34[500] spi=838280164(0x31f723e4)

Who Me Too'd this topic

IKE Phase 2 SA expires immediately - site 2 site ipsec over gre