Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1233
Views
0
Helpful
3
Replies

IPSEC / ISAKMP between CISCO1921/K9 and Checkpoint NOKIA IP1280 FW problems

phil_carter
Level 1
Level 1

‎10-07-2015 03:37 AM - edited ‎03-05-2019 02:28 AM

Hello,

I have set up an IPSEC tunnel between a CISCO1921/K9 and Checkpoint FW runing a GRE tunnel over it for local to remote site connectivity. Config below:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key <key> address FAR.x.x.x
!
crypto ipsec security-association idle-time 3600
!
crypto ipsec transform-set SITE_Transform esp-aes 256 esp-sha-hmac
 mode tunnel
!
!
crypto map Site_Map 10 ipsec-isakmp
 set peer FAR.x.x.x
 set transform-set SITE_Transform
 match address 160
!
!
interface GigabitEthernet0/0
 description Internet Provision
 ip address LOCAL.x.x.1 255.255.255.252
 ip access-group 161 in
 duplex auto
 speed auto
 no cdp enable
 crypto map Site_Map
!
access-list 160 permit gre host 10.200.4.29 host 10.171.0.126
access-list 160 permit icmp host 10.200.4.29 host 10.171.0.126
!
access-list 161 deny   gre any any
access-list 161 permit esp host FAR.x.x.x host LOCAL.x.x.1
access-list 161 permit esp host LOCAL.x.x.1 host FAR.x.x.x 
access-list 161 permit ip host FAR.x.x.x host LOCAL.x.x.1
access-list 161 permit ip host LOCAL.x.x.1 host FAR.x.x.x
!
interface Loopback0
 description Used-for-GRE-IPSEC-Only
 ip address 10.200.4.29 255.255.255.255
 no ip redirects
 no ip unreachables
!
interface Tunnel1
 description link to MRTX_R28_484
 bandwidth 10000
 ip address 172.16.122.93 255.255.255.252
 ip mtu 1400
 keepalive 10 3
 tunnel source Loopback0
 tunnel destination 10.171.0.126
!
ip route 10.171.0.126 255.255.255.255 LOCAL.x.x.2
ip route FAR.x.x.x 255.255.255.255 LOCAL.x.x.2

 

 

CISCO1921/K9: c1900-universalk9-mz.SPA.154-3.M2.bin

NOkia IP1280 checkpoint version is R75.40
 

All settings and ACLs defining interesting traffic have been matched up. The keepalive value for phase-1 ISAKMP is 24-hours, but bang on this time the IPSEC tunnel drops everyday, then tries to reset itself, but takes anything up to an hour to complete. Obviously this knocks out the site until fully completed.

 

Does anyone know of any known issues or ways to resolve?

 

Thanks

Phil

 

Labels:
0 Helpful
3 Replies 3

Vasilii Mikhailovskii
Level 7
Level 7

‎10-08-2015 09:48 AM

Hello.

Check if IPSec/isakmp sa is active on one side only - use crypto isakmp keepalive / invalid spi recovery.

If not clear, I would debug crypto isakmp messages (and ipsec sa negotiation) to see what is going on during the issue.

0 Helpful

phil_carter
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎10-09-2015 02:03 AM

Hello,

Thanks for the response - I have added the lines you suggested above.

Alongside this, I completed some further troubleshooting - when the phase-1 isakmp is cleared at either end, it recovers immediately with only a single packet drop. However, when the lifetime value expires at the router end, this fails to recover the session, until a manual reset is completed at the FW end. Debug output points to specific error code 32:

144897: Oct  8 20:38:49: ISAKMP:(1266):deleting SA reason "IKE SA Lifetime Exceeded" state (R) QM_IDLE  (peer REMOTE.x.x.x)
144898: Oct  8 20:38:49: ISAKMP: set new node 1472531594 to QM_IDLE
144899: Oct  8 20:38:49: ISAKMP:(1266): sending packet to REMOTE.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
144900: Oct  8 20:38:49: ISAKMP:(1266):Sending an IKE IPv4 Packet.
144901: Oct  8 20:38:49: ISAKMP:(1266):purging node 1472531594
144902: Oct  8 20:38:49: ISAKMP:(1266):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
144903: Oct  8 20:38:49: ISAKMP:(1266):Old State = IKE_P1_COMPLETE  New State =IKE_DEST_SA

144904: Oct  8 20:38:49: ISAKMP:(1266):deleting SA reason "IKE SA Lifetime Exceeded" state (R) QM_IDLE   (peer REMOTE.x.x.x)
144905: Oct  8 20:38:49: ISAKMP: Unlocking peer struct 0x2C01D5A0 for isadb_mark_sa_deleted(), count 1
144906: Oct  8 20:38:49: ISAKMP:(1266):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
144907: Oct  8 20:38:49: ISAKMP:(1266):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

144908: Oct  8 20:38:49: ISAKMP (1267): received packet from REMOTE.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
144909: Oct  8 20:38:49: ISAKMP:(1267):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
144910: Oct  8 20:38:49: ISAKMP:(1267):Old State = IKE_R_MM4  New State = IKE_R_MM5

144911: Oct  8 20:38:49: ISAKMP:(1267): processing ID payload. message ID = 0
144912: Oct  8 20:38:49: ISAKMP (1267): ID payload
        next-payload : 8
        type         : 1
        address      : REMOTE.x.x.x
        protocol     : 0
        port         : 0
        length       : 12
144913: Oct  8 20:38:49: ISAKMP:(0):: peer matches *none* of the profiles
144914: Oct  8 20:38:49: ISAKMP:(1267): processing HASH payload. message ID = 0
144915: Oct  8 20:38:49: ISAKMP:(1267):SA authentication status:  authenticated
144916: Oct  8 20:38:49: ISAKMP:(1267):SA has been authenticated with REMOTE.x.x.x
144917: Oct  8 20:38:49: ISAKMP:(1267):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
144918: Oct  8 20:38:49: ISAKMP:(1267):Old State = IKE_R_MM5  New State = IKE_R_MM5

144919: Oct  8 20:38:49: ISAKMP:(1267):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
144920: Oct  8 20:38:49: ISAKMP (1267): ID payload
        next-payload : 8
        type         : 1
        address      : LOCAL.x.x.x
        protocol     : 17
        port         : 500
        length       : 12
144921: Oct  8 20:38:49: ISAKMP:(1267):Total payload length: 12
144922: Oct  8 20:38:49: ISAKMP:(1267): sending packet to REMOTE.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
144923: Oct  8 20:38:49: ISAKMP:(1267):Sending an IKE IPv4 Packet.
144924: Oct  8 20:38:49: ISAKMP:(1267):Returning Actual lifetime: 180
144925: Oct  8 20:38:49: ISAKMP: set new node -2129989191 to QM_IDLE
144926: Oct  8 20:38:49: ISAKMP:(1267):Sending NOTIFY RESPONDER_LIFETIME protocol 1 spi 739008696, message ID = 2164978105
144927: Oct  8 20:38:49: ISAKMP:(1267): sending packet to REMOTE.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
144928: Oct  8 20:38:49: ISAKMP:(1267):Sending an IKE IPv4 Packet.
144929: Oct  8 20:38:49: ISAKMP:(1267):purging node -2129989191
144930: Oct  8 20:38:49: ISAKMP: Sending phase 1 responder lifetime 180
144931: Oct  8 20:38:49: ISAKMP:(1267):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
144932: Oct  8 20:38:49: ISAKMP:(1267):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE
144933: Oct  8 20:38:49: ISAKMP:(1267):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
144934: Oct  8 20:38:49: ISAKMP:(1267):Old State = IKE_P1_COMPLETE  New State =IKE_P1_COMPLETE
144935: Oct  8 20:38:49: ISAKMP (1267): received packet from REMOTE.x.x.x dport 500 sport 500 Global (R) QM_IDLE
144936: Oct  8 20:38:49: ISAKMP: set new node 1584984 to QM_IDLE
144937: Oct  8 20:38:49: ISAKMP:(1267): processing HASH payload. message ID = 1584984
144938: Oct  8 20:38:49: ISAKMP:(1267): processing SA payload. message ID = 1584984
144939: Oct  8 20:38:49: ISAKMP:(1267):Checking IPSec proposal 1
144940: Oct  8 20:38:49: ISAKMP: transform 1, ESP_AES
144941: Oct  8 20:38:49: ISAKMP:   attributes in transform:
144942: Oct  8 20:38:49: ISAKMP:      SA life type in seconds
144943: Oct  8 20:38:49: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
144944: Oct  8 20:38:49: ISAKMP:      authenticator is HMAC-SHA
144945: Oct  8 20:38:49: ISAKMP:      encaps is 1 (Tunnel)
144946: Oct  8 20:38:49: ISAKMP:      key length is 256
144947: Oct  8 20:38:49: ISAKMP:(1267):atts are acceptable.
144948: Oct  8 20:38:49: ISAKMP:(1267): IPSec policy invalidated proposal with error 32
144949: Oct  8 20:38:49: ISAKMP:(1267): phase 2 SA policy not acceptable! (local LOCAL.x.x.x remote REMOTE.x.x.x)
144950: Oct  8 20:38:49: ISAKMP: set new node -355309961 to QM_IDLE
144951: Oct  8 20:38:49: ISAKMP:(1267):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 739007736, message ID = 3939657335
144952: Oct  8 20:38:49: ISAKMP:(1267): sending packet to REMOTE.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
144953: Oct  8 20:38:49: ISAKMP:(1267):Sending an IKE IPv4 Packet.
144954: Oct  8 20:38:49: ISAKMP:(1267):purging node -355309961
144955: Oct  8 20:38:49: ISAKMP:(1267):deleting node 1584984 error TRUE reason "QM rejected"

Any ideas?

Thanks

Phil

0 Helpful

Vasilii Mikhailovskii
Level 7
Level 7
In response to phil_carter

‎10-09-2015 03:54 AM

Hello.

During the negotiation, please enable ipsec debug as well. There should be a message from IPSec right after the line "ISAKMP:(1267):atts are acceptable."

PS: if you see "proxy identities not supported" - check opposite side for ISAKMP identity settings (or try to set to address or hostname on local side with command "crypto isakmp identity ..."

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card