Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2210
Views
0
Helpful
4
Replies

SRP527W and 877 woes

Eshan Bhide
Level 1
Level 1

‎03-09-2011 10:48 PM

Hi guys,

I am trying to set up a site to site IPsec tunnel between this model of router and a simple 877 router.  I have tested this on an 1841 and it doesnt seem to work either.

The debug logs:

*Sep 19 22:08:30.932: ISAKMP (0:3026): received packet from 121.44.232.11 dport 500 sport 500 Global (I) MM_KEY_EXCH

*Sep 19 22:08:30.932: ISAKMP:(3026): processing ID payload. message ID = 0

*Sep 19 22:08:30.932: ISAKMP (0:3026): ID payload

        next-payload : 8

        type         : 1

        address      : 121.44.232.11

        protocol     : 0

        port         : 0

        length       : 12

*Sep 19 22:08:30.932: ISAKMP:(0):: peer matches *none* of the profiles

*Sep 19 22:08:30.932: ISAKMP:(3026): processing HASH payload. message ID = 0

*Sep 19 22:08:30.932: ISAKMP:(3026):SA authentication status:

        authenticated

*Sep 19 22:08:30.936: ISAKMP:(3026):SA has been authenticated with 121.44.232.11

*Sep 19 22:08:30.936: ISAKMP:(3026):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Sep 19 22:08:30.936: ISAKMP:(3026):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Sep 19 22:08:30.936: ISAKMP:(3026):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Sep 19 22:08:30.936: ISAKMP:(3026):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Sep 19 22:08:30.936: ISAKMP:(3026):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Sep 19 22:08:30.936: ISAKMP:(3026):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Sep 19 22:08:30.936: ISAKMP:(3026):beginning Quick Mode exchange, M-ID of 725457329

*Sep 19 22:08:30.940: ISAKMP:(3026):QM Initiator gets spi

*Sep 19 22:08:30.940: ISAKMP:(3026): sending packet to 121.44.232.11 my_port 500 peer_port 500 (I) QM_IDLE

*Sep 19 22:08:30.940: ISAKMP:(3026):Sending an IKE IPv4 Packet.

*Sep 19 22:08:30.940: ISAKMP:(3026):Node 725457329, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Sep 19 22:08:30.940: ISAKMP:(3026):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*Sep 19 22:08:30.940: ISAKMP:(3026):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Sep 19 22:08:30.940: ISAKMP:(3026):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Sep 19 22:08:30.968: ISAKMP:(3024):purging SA., sa=836D7310, delme=836D7310

*Sep 19 22:08:30.988: ISAKMP (0:3026): received packet from 121.44.232.11 dport 500 sport 500 Global (I) QM_IDLE

*Sep 19 22:08:30.988: ISAKMP: set new node 1920892959 to QM_IDLE

*Sep 19 22:08:30.988: ISAKMP:(3026): processing HASH payload. message ID = 1920892959

*Sep 19 22:08:30.988: ISAKMP:(3026): processing NOTIFY INVALID_ID_INFO protocol 1

        spi 0, message ID = 1920892959, sa = 83A53D1C

*Sep 19 22:08:30.988: ISAKMP:(3026):peer does not do paranoid keepalives.

*Sep 19 22:08:30.988: ISAKMP:(3026):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 121.44.232.11)

*Sep 19 22:08:30.988: ISAKMP:(3026):deleting node 1920892959 error FALSE reason "Informational (in) state 1"

*Sep 19 22:08:30.988: ISAKMP:(3026):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Sep 19 22:08:30.988: ISAKMP:(3026):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Now I've tried setting crypto isakmp identity address and played around with NAT-T ( on the 877 I'm denying 10.1.0.0/24 packets from getting Natted this is correct I believe). I enable NAT-T on the router. The router has the latest firmware.
We've bought about 25 of these routers to be deployed on a test basis and will implement a lot more - but this router seems a bit flaky and no debug logs make it all the more harder.
The valid parts of the config are:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map James 10 ipsec-isakmp
set peer 121.44.232.11
set transform-set tset
set pfs group2
match address 160
and the map James is applied on the Dialer1, outside Nat interface.
I have set up the SRP527 as per the post here: https://supportforums.cisco.com/message/3270162
Any ideas what I could be doing wrong? Appreciate allt he help I can get! Thanks guys

Labels:
0 Helpful
4 Replies 4

Andrew Hickman
Cisco Employee
Cisco Employee

‎03-10-2011 05:05 AM

Hi,

From what you have posted, it looks like you need to specify the preshared key in the IOS configuration.

Please see the attached for some config guidance.

Currently with the SRP520, NAT-T only accommodates scenarios where the SRP is behind NAT and the peer is not.  The next Maintenance Release will allow NAT at both ends.

I have also attached a sample IOS debug for attached config guide.

Hope this helps,

Andy

83055-IPSec_Debug.txt.zip
0 Helpful

AlexBlyuma
Level 1
Level 1
In response to Andrew Hickman

‎03-10-2011 10:21 AM

I try to connect SRP521W Site-to-SIte VPN to Cisco 2801, but it not work, but

connect SRP521W Site-to-SIte VPN to Linux Openswan work well

0 Helpful

Andrew Hickman
Cisco Employee
Cisco Employee
In response to AlexBlyuma

‎03-10-2011 12:59 PM

Were you able to follow config advice in the attachment above?  In that case, I used an Cisco871 router, but it should be the same for a 2800.

Andy

0 Helpful

Eshan Bhide
Level 1
Level 1

‎03-10-2011 02:25 PM

Andrew - thank you for the reply. I forgot to include the preshared key, but do have it specified:

#crypto isakmp key xx address 121.44.232.11

Ah it makes sense if it's not meant to work behind remote NAT - I was just testing it on a non production system to see how the VPN works. I guess I could wait till the next release to test this further, before deploying this on our vpn hub pix (which is not behind NAT).

I'm going through the config documents attached now, it would be nice to see a bit more logging/debugging info on this router.

0 Helpful
Customers Also Viewed These Support Documents