Hello.During the negotiation,

phil_carter · ‎10-07-2015

Hello,

I have set up an IPSEC tunnel between a CISCO1921/K9 and Checkpoint FW runing a GRE tunnel over it for local to remote site connectivity. Config below:

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key <key> address FAR.x.x.x
!
crypto ipsec security-association idle-time 3600
!
crypto ipsec transform-set SITE_Transform esp-aes 256 esp-sha-hmac
mode tunnel
!
!
crypto map Site_Map 10 ipsec-isakmp
set peer FAR.x.x.x
set transform-set SITE_Transform
match address 160
!
!
interface GigabitEthernet0/0
description Internet Provision
ip address LOCAL.x.x.1 255.255.255.252
ip access-group 161 in
duplex auto
speed auto
no cdp enable
crypto map Site_Map
!
access-list 160 permit gre host 10.200.4.29 host 10.171.0.126
access-list 160 permit icmp host 10.200.4.29 host 10.171.0.126
!
access-list 161 deny gre any any
access-list 161 permit esp host FAR.x.x.x host LOCAL.x.x.1
access-list 161 permit esp host LOCAL.x.x.1 host FAR.x.x.x
access-list 161 permit ip host FAR.x.x.x host LOCAL.x.x.1
access-list 161 permit ip host LOCAL.x.x.1 host FAR.x.x.x
!
interface Loopback0
description Used-for-GRE-IPSEC-Only
ip address 10.200.4.29 255.255.255.255
no ip redirects
no ip unreachables
!
interface Tunnel1
description link to MRTX_R28_484
bandwidth 10000
ip address 172.16.122.93 255.255.255.252
ip mtu 1400
keepalive 10 3
tunnel source Loopback0
tunnel destination 10.171.0.126
!
ip route 10.171.0.126 255.255.255.255 LOCAL.x.x.2
ip route FAR.x.x.x 255.255.255.255 LOCAL.x.x.2

CISCO1921/K9: c1900-universalk9-mz.SPA.154-3.M2.bin

NOkia IP1280 checkpoint version is R75.40

All settings and ACLs defining interesting traffic have been matched up. The keepalive value for phase-1 ISAKMP is 24-hours, but bang on this time the IPSEC tunnel drops everyday, then tries to reset itself, but takes anything up to an hour to complete. Obviously this knocks out the site until fully completed.

Does anyone know of any known issues or ways to resolve?

Thanks

Phil

Vasilii Mikhailovskii · ‎10-08-2015

Hello.

Check if IPSec/isakmp sa is active on one side only - use crypto isakmp keepalive / invalid spi recovery.

If not clear, I would debug crypto isakmp messages (and ipsec sa negotiation) to see what is going on during the issue.

phil_carter · ‎10-09-2015

Hello,

Thanks for the response - I have added the lines you suggested above.

Alongside this, I completed some further troubleshooting - when the phase-1 isakmp is cleared at either end, it recovers immediately with only a single packet drop. However, when the lifetime value expires at the router end, this fails to recover the session, until a manual reset is completed at the FW end. Debug output points to specific error code 32:

144897: Oct 8 20:38:49: ISAKMP:(1266):deleting SA reason "IKE SA Lifetime Exceeded" state (R) QM_IDLE (peer REMOTE.x.x.x)
144898: Oct 8 20:38:49: ISAKMP: set new node 1472531594 to QM_IDLE
144899: Oct 8 20:38:49: ISAKMP:(1266): sending packet to REMOTE.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
144900: Oct 8 20:38:49: ISAKMP:(1266):Sending an IKE IPv4 Packet.
144901: Oct 8 20:38:49: ISAKMP:(1266):purging node 1472531594
144902: Oct 8 20:38:49: ISAKMP:(1266):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
144903: Oct 8 20:38:49: ISAKMP:(1266):Old State = IKE_P1_COMPLETE New State =IKE_DEST_SA

144904: Oct 8 20:38:49: ISAKMP:(1266):deleting SA reason "IKE SA Lifetime Exceeded" state (R) QM_IDLE (peer REMOTE.x.x.x)
144905: Oct 8 20:38:49: ISAKMP: Unlocking peer struct 0x2C01D5A0 for isadb_mark_sa_deleted(), count 1
144906: Oct 8 20:38:49: ISAKMP:(1266):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
144907: Oct 8 20:38:49: ISAKMP:(1266):Old State = IKE_DEST_SA New State = IKE_DEST_SA

144908: Oct 8 20:38:49: ISAKMP (1267): received packet from REMOTE.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
144909: Oct 8 20:38:49: ISAKMP:(1267):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
144910: Oct 8 20:38:49: ISAKMP:(1267):Old State = IKE_R_MM4 New State = IKE_R_MM5

144911: Oct 8 20:38:49: ISAKMP:(1267): processing ID payload. message ID = 0
144912: Oct 8 20:38:49: ISAKMP (1267): ID payload
next-payload : 8
type : 1
address : REMOTE.x.x.x
protocol : 0
port : 0
length : 12
144913: Oct 8 20:38:49: ISAKMP:(0):: peer matches *none* of the profiles
144914: Oct 8 20:38:49: ISAKMP:(1267): processing HASH payload. message ID = 0
144915: Oct 8 20:38:49: ISAKMP:(1267):SA authentication status: authenticated
144916: Oct 8 20:38:49: ISAKMP:(1267):SA has been authenticated with REMOTE.x.x.x
144917: Oct 8 20:38:49: ISAKMP:(1267):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
144918: Oct 8 20:38:49: ISAKMP:(1267):Old State = IKE_R_MM5 New State = IKE_R_MM5

144919: Oct 8 20:38:49: ISAKMP:(1267):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
144920: Oct 8 20:38:49: ISAKMP (1267): ID payload
next-payload : 8
type : 1
address : LOCAL.x.x.x
protocol : 17
port : 500
length : 12
144921: Oct 8 20:38:49: ISAKMP:(1267):Total payload length: 12
144922: Oct 8 20:38:49: ISAKMP:(1267): sending packet to REMOTE.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
144923: Oct 8 20:38:49: ISAKMP:(1267):Sending an IKE IPv4 Packet.
144924: Oct 8 20:38:49: ISAKMP:(1267):Returning Actual lifetime: 180
144925: Oct 8 20:38:49: ISAKMP: set new node -2129989191 to QM_IDLE
144926: Oct 8 20:38:49: ISAKMP:(1267):Sending NOTIFY RESPONDER_LIFETIME protocol 1 spi 739008696, message ID = 2164978105
144927: Oct 8 20:38:49: ISAKMP:(1267): sending packet to REMOTE.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
144928: Oct 8 20:38:49: ISAKMP:(1267):Sending an IKE IPv4 Packet.
144929: Oct 8 20:38:49: ISAKMP:(1267):purging node -2129989191
144930: Oct 8 20:38:49: ISAKMP: Sending phase 1 responder lifetime 180
144931: Oct 8 20:38:49: ISAKMP:(1267):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
144932: Oct 8 20:38:49: ISAKMP:(1267):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
144933: Oct 8 20:38:49: ISAKMP:(1267):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
144934: Oct 8 20:38:49: ISAKMP:(1267):Old State = IKE_P1_COMPLETE New State =IKE_P1_COMPLETE
144935: Oct 8 20:38:49: ISAKMP (1267): received packet from REMOTE.x.x.x dport 500 sport 500 Global (R) QM_IDLE
144936: Oct 8 20:38:49: ISAKMP: set new node 1584984 to QM_IDLE
144937: Oct 8 20:38:49: ISAKMP:(1267): processing HASH payload. message ID = 1584984
144938: Oct 8 20:38:49: ISAKMP:(1267): processing SA payload. message ID = 1584984
144939: Oct 8 20:38:49: ISAKMP:(1267):Checking IPSec proposal 1
144940: Oct 8 20:38:49: ISAKMP: transform 1, ESP_AES
144941: Oct 8 20:38:49: ISAKMP: attributes in transform:
144942: Oct 8 20:38:49: ISAKMP: SA life type in seconds
144943: Oct 8 20:38:49: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
144944: Oct 8 20:38:49: ISAKMP: authenticator is HMAC-SHA
144945: Oct 8 20:38:49: ISAKMP: encaps is 1 (Tunnel)
144946: Oct 8 20:38:49: ISAKMP: key length is 256
144947: Oct 8 20:38:49: ISAKMP:(1267):atts are acceptable.
144948: Oct 8 20:38:49: ISAKMP:(1267): IPSec policy invalidated proposal with error 32
144949: Oct 8 20:38:49: ISAKMP:(1267): phase 2 SA policy not acceptable! (local LOCAL.x.x.x remote REMOTE.x.x.x)
144950: Oct 8 20:38:49: ISAKMP: set new node -355309961 to QM_IDLE
144951: Oct 8 20:38:49: ISAKMP:(1267):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 739007736, message ID = 3939657335
144952: Oct 8 20:38:49: ISAKMP:(1267): sending packet to REMOTE.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
144953: Oct 8 20:38:49: ISAKMP:(1267):Sending an IKE IPv4 Packet.
144954: Oct 8 20:38:49: ISAKMP:(1267):purging node -355309961
144955: Oct 8 20:38:49: ISAKMP:(1267):deleting node 1584984 error TRUE reason "QM rejected"

Any ideas?

Thanks

Phil

Vasilii Mikhailovskii · ‎10-09-2015

Hello.

During the negotiation, please enable ipsec debug as well. There should be a message from IPSec right after the line "ISAKMP:(1267):atts are acceptable."

PS: if you see "proxy identities not supported" - check opposite side for ISAKMP identity settings (or try to set to address or hostname on local side with command "crypto isakmp identity ..."

IPSEC / ISAKMP between CISCO1921/K9 and Checkpoint NOKIA IP1280 FW problems