03-09-2011 10:48 PM
Hi guys,
I am trying to set up a site to site IPsec tunnel between this model of router and a simple 877 router. I have tested this on an 1841 and it doesnt seem to work either.
The debug logs:
*Sep 19 22:08:30.932: ISAKMP (0:3026): received packet from 121.44.232.11 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Sep 19 22:08:30.932: ISAKMP:(3026): processing ID payload. message ID = 0
*Sep 19 22:08:30.932: ISAKMP (0:3026): ID payload
next-payload : 8
type : 1
address : 121.44.232.11
protocol : 0
port : 0
length : 12
*Sep 19 22:08:30.932: ISAKMP:(0):: peer matches *none* of the profiles
*Sep 19 22:08:30.932: ISAKMP:(3026): processing HASH payload. message ID = 0
*Sep 19 22:08:30.932: ISAKMP:(3026):SA authentication status:
authenticated
*Sep 19 22:08:30.936: ISAKMP:(3026):SA has been authenticated with 121.44.232.11
*Sep 19 22:08:30.936: ISAKMP:(3026):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 19 22:08:30.936: ISAKMP:(3026):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Sep 19 22:08:30.936: ISAKMP:(3026):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 19 22:08:30.936: ISAKMP:(3026):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Sep 19 22:08:30.936: ISAKMP:(3026):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 19 22:08:30.936: ISAKMP:(3026):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Sep 19 22:08:30.936: ISAKMP:(3026):beginning Quick Mode exchange, M-ID of 725457329
*Sep 19 22:08:30.940: ISAKMP:(3026):QM Initiator gets spi
*Sep 19 22:08:30.940: ISAKMP:(3026): sending packet to 121.44.232.11 my_port 500 peer_port 500 (I) QM_IDLE
*Sep 19 22:08:30.940: ISAKMP:(3026):Sending an IKE IPv4 Packet.
*Sep 19 22:08:30.940: ISAKMP:(3026):Node 725457329, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Sep 19 22:08:30.940: ISAKMP:(3026):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Sep 19 22:08:30.940: ISAKMP:(3026):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Sep 19 22:08:30.940: ISAKMP:(3026):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Sep 19 22:08:30.968: ISAKMP:(3024):purging SA., sa=836D7310, delme=836D7310
*Sep 19 22:08:30.988: ISAKMP (0:3026): received packet from 121.44.232.11 dport 500 sport 500 Global (I) QM_IDLE
*Sep 19 22:08:30.988: ISAKMP: set new node 1920892959 to QM_IDLE
*Sep 19 22:08:30.988: ISAKMP:(3026): processing HASH payload. message ID = 1920892959
*Sep 19 22:08:30.988: ISAKMP:(3026): processing NOTIFY INVALID_ID_INFO protocol 1
spi 0, message ID = 1920892959, sa = 83A53D1C
*Sep 19 22:08:30.988: ISAKMP:(3026):peer does not do paranoid keepalives.
*Sep 19 22:08:30.988: ISAKMP:(3026):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 121.44.232.11)
*Sep 19 22:08:30.988: ISAKMP:(3026):deleting node 1920892959 error FALSE reason "Informational (in) state 1"
*Sep 19 22:08:30.988: ISAKMP:(3026):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Sep 19 22:08:30.988: ISAKMP:(3026):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
03-10-2011 05:05 AM
Hi,
From what you have posted, it looks like you need to specify the preshared key in the IOS configuration.
Please see the attached for some config guidance.
Currently with the SRP520, NAT-T only accommodates scenarios where the SRP is behind NAT and the peer is not. The next Maintenance Release will allow NAT at both ends.
I have also attached a sample IOS debug for attached config guide.
Hope this helps,
Andy
03-10-2011 10:21 AM
I try to connect SRP521W Site-to-SIte VPN to Cisco 2801, but it not work, but
connect SRP521W Site-to-SIte VPN to Linux Openswan work well
03-10-2011 12:59 PM
Were you able to follow config advice in the attachment above? In that case, I used an Cisco871 router, but it should be the same for a 2800.
Andy
03-10-2011 02:25 PM
Andrew - thank you for the reply. I forgot to include the preshared key, but do have it specified:
#crypto isakmp key xx address 121.44.232.11
Ah it makes sense if it's not meant to work behind remote NAT - I was just testing it on a non production system to see how the VPN works. I guess I could wait till the next release to test this further, before deploying this on our vpn hub pix (which is not behind NAT).
I'm going through the config documents attached now, it would be nice to see a bit more logging/debugging info on this router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide