IPsec Recevied fatal informational Errors

szechyjs7 · ‎08-22-2015

From what I can tell phase 1 complete but, phase 2 doesn't seem to be working.

10.0.100.0/23 <==> Mikrotik Router (aa.bbb.cc.ddd) <==Internet==> Cisco 2821 (ww.xxx.yy.zz) <==> 10.0.50.0/24

*Aug 23 03:37:14.497: ISAKMP: local port 500, remote port 500

*Aug 23 03:37:14.497: ISAKMP: set new node 0 to QM_IDLE

*Aug 23 03:37:14.497: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 513D19EC

*Aug 23 03:37:14.497: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled

*Aug 23 03:37:14.497: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Aug 23 03:37:14.497: ISAKMP:(0):found peer pre-shared key matching aa.bbb.cc.ddd

*Aug 23 03:37:14.497: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Aug 23 03:37:14.497: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Aug 23 03:37:14.497: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Aug 23 03:37:14.497: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Aug 23 03:37:14.497: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Aug 23 03:37:14.497: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1


*Aug 23 03:37:14.497: ISAKMP:(0): beginning Main Mode exchange

*Aug 23 03:37:14.497: ISAKMP:(0): sending packet to aa.bbb.cc.ddd my_port 500 peer_port 500 (I) MM_NO_STATE

*Aug 23 03:37:14.497: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Aug 23 03:37:14.541: ISAKMP (0): received packet from aa.bbb.cc.ddd dport 500 sport 500 Global (I) MM_NO_STATE

*Aug 23 03:37:14.541: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Aug 23 03:37:14.541: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2


*Aug 23 03:37:14.541: ISAKMP:(0): processing SA payload. message ID = 0

*Aug 23 03:37:14.541: ISAKMP:(0): processing vendor id payload

*Aug 23 03:37:14.541: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Aug 23 03:37:14.541: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Aug 23 03:37:14.541: ISAKMP:(0): processing vendor id payload

*Aug 23 03:37:14.541: ISAKMP:(0): vendor ID is DPD

*Aug 23 03:37:14.541: ISAKMP:(0):found peer pre-shared key matching aa.bbb.cc.ddd

*Aug 23 03:37:14.541: ISAKMP:(0): local preshared key found

*Aug 23 03:37:14.541: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Aug 23 03:37:14.541: ISAKMP:      encryption AES-CBC

*Aug 23 03:37:14.541: ISAKMP:      keylength of 256

*Aug 23 03:37:14.541: ISAKMP:      hash SHA512

*Aug 23 03:37:14.541: ISAKMP:      default group 14

*Aug 23 03:37:14.541: ISAKMP:      auth pre-share

*Aug 23 03:37:14.541: ISAKMP:      life type in seconds

*Aug 23 03:37:14.541: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Aug 23 03:37:14.541: ISAKMP:(0):atts are acceptable. Next payload is 0

*Aug 23 03:37:14.545: ISAKMP:(0):Acceptable atts:actual life: 0

*Aug 23 03:37:14.545: ISAKMP:(0):Acceptable atts:life: 0

*Aug 23 03:37:14.545: ISAKMP:(0):Fill atts in sa vpi_length:4

*Aug 23 03:37:14.545: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Aug 23 03:37:14.545: ISAKMP:(0):Returning Actual lifetime: 86400

*Aug 23 03:37:14.545: ISAKMP:(0)::Started lifetime timer: 86400.


*Aug 23 03:37:14.545: ISAKMP:(0): processing vendor id payload

*Aug 23 03:37:14.545: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Aug 23 03:37:14.545: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Aug 23 03:37:14.545: ISAKMP:(0): processing vendor id payload

*Aug 23 03:37:14.545: ISAKMP:(0): vendor ID is DPD

*Aug 23 03:37:14.545: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Aug 23 03:37:14.545: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2


*Aug 23 03:37:14.545: ISAKMP:(0): sending packet to aa.bbb.cc.ddd my_port 500 peer_port 500 (I) MM_SA_SETUP

*Aug 23 03:37:14.545: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Aug 23 03:37:14.545: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Aug 23 03:37:14.545: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3


*Aug 23 03:37:14.717: ISAKMP (0): received packet from aa.bbb.cc.ddd dport 500 sport 500 Global (I) MM_SA_SETUP

*Aug 23 03:37:14.717: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Aug 23 03:37:14.717: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4


*Aug 23 03:37:14.717: ISAKMP:(0): processing KE payload. message ID = 0

*Aug 23 03:37:14.781: ISAKMP:(0): processing NONCE payload. message ID = 0

*Aug 23 03:37:14.781: ISAKMP:(0):found peer pre-shared key matching aa.bbb.cc.ddd

*Aug 23 03:37:14.781: ISAKMP:received payload type 20

*Aug 23 03:37:14.781: ISAKMP (16444): His hash no match - this node outside NAT

*Aug 23 03:37:14.781: ISAKMP:received payload type 20

*Aug 23 03:37:14.781: ISAKMP (16444): No NAT Found for self or peer

*Aug 23 03:37:14.781: ISAKMP:(16444):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Aug 23 03:37:14.781: ISAKMP:(16444):Old State = IKE_I_MM4  New State = IKE_I_MM4


*Aug 23 03:37:14.781: ISAKMP:(16444):Send initial contact

*Aug 23 03:37:14.781: ISAKMP:(16444):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Aug 23 03:37:14.781: ISAKMP (16444): ID payload

next-payload : 8

type         : 1

address      : ww.xxx.yy.zz

protocol     : 17

port         : 500

length       : 12

*Aug 23 03:37:14.781: ISAKMP:(16444):Total payload length: 12

*Aug 23 03:37:14.785: ISAKMP:(16444): sending packet to aa.bbb.cc.ddd my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Aug 23 03:37:14.785: ISAKMP:(16444):Sending an IKE IPv4 Packet.

*Aug 23 03:37:14.785: ISAKMP:(16444):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Aug 23 03:37:14.785: ISAKMP:(16444):Old State = IKE_I_MM4  New State = IKE_I_MM5


*Aug 23 03:37:14.849: ISAKMP (16444): received packet from aa.bbb.cc.ddd dport 500 sport 500 Global (I) MM_KEY_EXCH

*Aug 23 03:37:14.849: ISAKMP:(16444): processing ID payload. message ID = 0

*Aug 23 03:37:14.849: ISAKMP (16444): ID payload

next-payload : 8

type         : 1

address      : aa.bbb.cc.ddd

protocol     : 17

port         : 500

length       : 12

*Aug 23 03:37:14.849: ISAKMP:(16444): processing HASH payload. message ID = 0

*Aug 23 03:37:14.849: ISAKMP:(16444):SA authentication status:

authenticated

*Aug 23 03:37:14.849: ISAKMP:(16444):SA has been authenticated with aa.bbb.cc.ddd

*Aug 23 03:37:14.849: ISAKMP:(16444):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Aug 23 03:37:14.849: ISAKMP:(16444):Old State = IKE_I_MM5  New State = IKE_I_MM6


*Aug 23 03:37:14.849: ISAKMP:(16444):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Aug 23 03:37:14.849: ISAKMP:(16444):Old State = IKE_I_MM6  New State = IKE_I_MM6


*Aug 23 03:37:14.849: ISAKMP:(16444):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Aug 23 03:37:14.849: ISAKMP:(16444):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE


*Aug 23 03:37:14.853: ISAKMP:(16444):beginning Quick Mode exchange, M-ID of 1235091029

*Aug 23 03:37:14.853: ISAKMP:(16444):QM Initiator gets spi

*Aug 23 03:37:14.853: ISAKMP:(16444): sending packet to aa.bbb.cc.ddd my_port 500 peer_port 500 (I) QM_IDLE

*Aug 23 03:37:14.853: ISAKMP:(16444):Sending an IKE IPv4 Packet.

*Aug 23 03:37:14.853: ISAKMP:(16444):Node 1235091029, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Aug 23 03:37:14.853: ISAKMP:(16444):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*Aug 23 03:37:14.853: ISAKMP:(16444):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Aug 23 03:37:14.853: ISAKMP:(16444):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE


*Aug 23 03:37:14.901: ISAKMP (16444): received packet from aa.bbb.cc.ddd dport 500 sport 500 Global (I) QM_IDLE

*Aug 23 03:37:14.901: ISAKMP: set new node -1530625518 to QM_IDLE

*Aug 23 03:37:14.901: ISAKMP:(16444): processing HASH payload. message ID = 2764341778

*Aug 23 03:37:14.901: ISAKMP:(16444): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1

spi 0, message ID = 2764341778, sa = 0x513D19EC

*Aug 23 03:37:14.901: ISAKMP:(16444):peer does not do paranoid keepalives.


*Aug 23 03:37:14.901: ISAKMP:(16444):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer aa.bbb.cc.ddd)

*Aug 23 03:37:14.901: ISAKMP:(16444):deleting node -1530625518 error FALSE reason "Informational (in) state 1"

*Aug 23 03:37:14.901: ISAKMP:(16444):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Aug 23 03:37:14.901: ISAKMP:(16444):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE


*Aug 23 03:37:14.901: ISAKMP: set new node 1793199253 to QM_IDLE

*Aug 23 03:37:14.901: ISAKMP:(16444): sending packet to aa.bbb.cc.ddd my_port 500 peer_port 500 (I) QM_IDLE

*Aug 23 03:37:14.901: ISAKMP:(16444):Sending an IKE IPv4 Packet.

*Aug 23 03:37:14.901: ISAKMP:(16444):purging node 1793199253

*Aug 23 03:37:14.901: ISAKMP:(16444):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Aug 23 03:37:14.901: ISAKMP:(16444):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA


*Aug 23 03:37:14.905: ISAKMP:(16444):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer aa.bbb.cc.ddd)

*Aug 23 03:37:14.905: ISAKMP:(16444):deleting node 1235091029 error FALSE reason "IKE deleted"

*Aug 23 03:37:14.905: ISAKMP:(16444):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Aug 23 03:37:14.905: ISAKMP:(16444):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

crypto isakmp policy 1
 encr aes 256
 hash sha512
 authentication pre-share
 group 14
crypto isakmp key 6 XXXXXXXXXX address aa.bbb.cc.ddd no-xauth
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set strong esp-aes 256 esp-sha-hmac
!
crypto map s2s-name 1 ipsec-isakmp
 set peer aa.bbb.cc.ddd
 set transform-set strong
 set pfs group16
 match address interesting
 reverse-route static
!
!
!
interface GigabitEthernet0/0
 description PrimaryWANDesc_
 ip ddns update namecheap
 ip address dhcp
 ip nat outside
 ip ips sdm_ips_rule in
 ip virtual-reassembly in
 duplex auto
 speed auto
 ipv6 address autoconfig default
 ipv6 enable
 ipv6 dhcp client pd prefix-from-provider
 crypto map s2s-name
!
interface GigabitEthernet0/1
 ip address 10.0.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 ipv6 address prefix-from-provider ::1/64
 ipv6 enable
 no mop enabled
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list standard LAN-Addresses
 permit 10.0.50.0 0.0.0.255
ip access-list extended interesting
 permit ip 10.0.50.0 0.0.0.255 10.0.100.0 0.0.1.255

router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
ww.xxx.yy.zz    aa.bbb.cc.ddd   QM_IDLE          16445 ACTIVE

router#show crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: UP-IDLE
Peer: aa.bbb.cc.ddd port 500
  IKEv1 SA: local ww.xxx.yy.zz/500 remote aa.bbb.cc.ddd/500 Active
  IPSEC FLOW: permit ip 10.0.50.0/255.255.255.0 10.0.100.0/255.255.254.0
        Active SAs: 0, origin: crypto map

router#show crypto ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: s2s-name, local addr ww.xxx.yy.zz

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.50.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.100.0/255.255.254.0/0/0)
   current_peer aa.bbb.cc.ddd port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: ww.xxx.yy.zz, remote crypto endpt.: aa.bbb.cc.ddd
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

szechyjs7 · ‎09-04-2015

I solved the problem, the phase 2 hash algorithm didn't match on the other side. Now all I have left is a routing issue on the other end.