11-30-2015 04:05 AM - edited 03-05-2019 02:50 AM
Hi,
I have set up Cisco CSR 1000v on Amazon cloud (RouterA).
Another IPSec device, pfsense - 123.123.123, was also set up on Amazon cloud.
I am having issues connecting CSR to pfsense, mainly because pfsense is taking the peer identity as 10.2.0.132 instead of 122.122.122.122.
How do I configure CSR to send its identity as 122.122.122.122 instead of 10.2.0.132 ? This is the main blocker I have.
It seems that NAT-T isn't doing much here.
! 122.122.122.122 (Router A) - internal IP 10.2.0.132
! 123.123.123.123 (Router B)
! VPN configuration (RouterA)
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key zNmpUki98qyv address 123.123.123.123
crypto isakmp keepalive 10 5
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set pre-aes-128-sha esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
!
crypto map vpntunnel 20 ipsec-isakmp
set peer 123.123.123.123
set transform-set pre-aes-128-sha
match address 2000
!
interface GigabitEthernet1
ip address dhcp
negotiation auto
crypto map vpntunnel
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.2.0.132 123.123.123.123 MM_NO_STATE 1837 ACTIVE (deleted)
10.2.0.132 123.123.123.123 MM_NO_STATE 1836 ACTIVE (deleted)
123.123.123.123 10.2.0.132 MM_NO_STATE 1835 ACTIVE (deleted)
*Nov 30 11:00:27.450: ISAKMP:(1832):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Nov 30 11:00:27.450: ISAKMP (1832): ID payload
next-payload : 8
type : 1
address : 10.2.0.132
protocol : 17
port : 0
length : 12
*Nov 30 11:00:27.450: ISAKMP:(1832):Total payload length: 12
*Nov 30 11:00:27.450: ISAKMP:(1832):Returning Actual lifetime: 86400
*Nov 30 11:00:27.450: ISAKMP:(1832): sending packet to 123.123.123.123 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
*Nov 30 11:00:27.450: ISAKMP:(1832):Sending an IKE IPv4 Packet.
*Nov 30 11:00:27.450: ISAKMP:(1832):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 30 11:00:27.450: ISAKMP:(1832):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Nov 30 11:00:27.450: ISAKMP:(1832):IKE_DPD is enabled, initializing timers
*Nov 30 11:00:27.450: ISAKMP:(1832):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Nov 30 11:00:27.450: ISAKMP:(1832):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Nov 30 11:00:27.525: ISAKMP:(1829):purging node 1121485288
*Nov 30 11:00:27.533: ISAKMP (1832): received packet from 123.123.123.123 dport 4500 sport 4500 Global (R) QM_IDLE
*Nov 30 11:00:27.533: ISAKMP: set new node 3065667901 to QM_IDLE
*Nov 30 11:00:27.533: ISAKMP:(1832): processing HASH payload. message ID = 3065667901
*Nov 30 11:00:27.533: ISAKMP:(1832): processing DELETE payload. message ID = 3065667901
*Nov 30 11:00:27.533: ISAKMP:(1832):peer does not do paranoid keepalives.
*Nov 30 11:00:27.533: ISAKMP:(1832):deleting SA reason "No reason" state (R) QM_IDLE (peer 123.123.123.123)
*Nov 30 11:00:27.533: ISAKMP:(1832):deleting node 3065667901 error FALSE reason "Informational (in) state 1"
*Nov 30 11:00:27.533: ISAKMP: set new node 2243284690 to QM_IDLE
*Nov 30 11:00:27.533: ISAKMP:(1832): sending packet to 123.123.123.123 my_port 4500 peer_port 4500 (R) QM_IDLE
*Nov 30 11:00:27.533: ISAKMP:(1832):Sending an IKE IPv4 Packet.
*Nov 30 11:00:27.533: ISAKMP:(1832):purging node 2243284690
*Nov 30 11:00:27.533: ISAKMP:(1832):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Nov 30 11:00:27.533: ISAKMP:(1832):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Nov 30 11:00:27.533: ISAKMP:(1832):deleting SA reason "No reason" state (R) QM_IDLE (peer 123.123.123.123)
*Nov 30 11:00:27.535: ISAKMP:(1832):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 30 11:00:27.535: ISAKMP:(1832):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Nov 30 11:00:30.106: ISAKMP:(1830): retransmitting phase 1 MM_KEY_EXCH...
*Nov 30 11:00:30.106: ISAKMP (1830): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Nov 30 11:00:30.106: ISAKMP:(1830): retransmitting phase 1 MM_KEY_EXCH
*Nov 30 11:00:30.106: ISAKMP:(1830): sending packet to 123.123.123.123 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Nov 30 11:00:30.106: ISAKMP:(1830):Sending an IKE IPv4 Packet.
*Nov 30 11:00:37.527: ISAKMP:(1829):purging SA., sa=7F595BE48CA0, delme=7F595BE48CA0
*Nov 30 11:00:40.105: ISAKMP:(1830): retransmitting phase 1 MM_KEY_EXCH...
*Nov 30 11:00:40.105: ISAKMP (1830): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Nov 30 11:00:40.105: ISAKMP:(1830): retransmitting phase 1 MM_KEY_EXCH
*Nov 30 11:00:40.105: ISAKMP:(1830): sending packet to 123.123.123.123 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Nov 30 11:00:40.105: ISAKMP:(1830):Sending an IKE IPv4 Packet.
Solved! Go to Solution.